Assessing the Secure Software Lifecycle

There are different assessment approaches to evaluate the maturity of the secure development lifecycle:

  • Software Assurance Maturity Model (SAMM).

  • Building Security in Maturity Model (BSIMM).

  • Common Criteria (CC).

SAMM

Assessment of a development process.

  1. Define and measure security-related activities within an organization.

  2. Evaluate their existing software security practices.

  3. Build a balanced software security program in well-defined iterations.

  4. Demonstrate improvements in a security assurance program.

Uses 12 security practices grouped into one of 4 business functions.

  • Governance

  • Construction

  • Verification

  • Deployment

Provides an organization maturity level (0 to 3).

BSIMM

Assessment of a development process based on SAMM

Uses 12 security practices grouped into one of 4 business functions;

  • Governance

  • Intelligence

  • Secure software development lifecycle touchpoints.

  • Deployment

Provides comparison to other BSIMM-assessed companies.

CC

Provides means for international recognition of secure information technology.

Authorized Certification/ Validation Body.

Reuse of certified/ validated products with no further evaluation.

Based on Evaluation Assurance Levels (EAL):

  1. Functionally tested.

  2. Structurally tested.

  3. Methodically tested and checked.

  4. Methodically designed, tested, and reviewed.

  5. Semi-formally designed and tested.

  6. Semi-formally verified design and tested.

  7. Formally verified design and tested.

Last updated