OpenSAMM and BSIMM: A Comparison of Software Security Maturity Models
Added on 2022-11-24
7 Pages1359 Words162 Views
|
|
|
OpenSAMM and BSIMM
Name
Institution
Name
Institution
Introduction
With IT becoming a critical requirement in government and business operations, threats of
malicious attacks have increased exponentially. A major enabler of security bleaches is the
existence of vulnerabilities in new and existing software in use by organizations. As such,
subjecting a software solution to rigorous review and testing is very critical. Such reviews and
tests helps in eliminating vulnerabilities, by performing extensive code reviews, thus reducing
chances of malicious attacks (Jaatun, 2015). Organizations therefore have to adopt a software
maturing model; a framework that helps organizations in formulating and implementing
strategies for software security, tailored to the specific risks facing an organization. Some of the
most commonly used frameworks include the OpenSAMM and BSIMM.
This report presents an analysis of OpenSAMM and BSIMM software security maturity models.
The report compares and contrasts the two models, besides giving the pros and cons of applying
each of the models. The analysis is done in the context of applying the models to the U.S.
Department of Health and Human Services’ software development and maintenance activities.
OpenSAMM
Open Software Assurance Maturity Model (OpenSAMM) is a prescriptive model, maintained by
the OWASP project (Heiland, Thomas,Welch & Jackson, 2013). This model classifies the
application security maturity into four business functions, namely;
Governance: this aspect outlines how the software is to be managed within the
organization
Construction: the aspect details how software applications are to be built.
Verification: outlines details of how software applications are to be tested
Deployment: specifies details on how applications are to be deployed and supported in a
production environment (Jaatun, 2015).
With IT becoming a critical requirement in government and business operations, threats of
malicious attacks have increased exponentially. A major enabler of security bleaches is the
existence of vulnerabilities in new and existing software in use by organizations. As such,
subjecting a software solution to rigorous review and testing is very critical. Such reviews and
tests helps in eliminating vulnerabilities, by performing extensive code reviews, thus reducing
chances of malicious attacks (Jaatun, 2015). Organizations therefore have to adopt a software
maturing model; a framework that helps organizations in formulating and implementing
strategies for software security, tailored to the specific risks facing an organization. Some of the
most commonly used frameworks include the OpenSAMM and BSIMM.
This report presents an analysis of OpenSAMM and BSIMM software security maturity models.
The report compares and contrasts the two models, besides giving the pros and cons of applying
each of the models. The analysis is done in the context of applying the models to the U.S.
Department of Health and Human Services’ software development and maintenance activities.
OpenSAMM
Open Software Assurance Maturity Model (OpenSAMM) is a prescriptive model, maintained by
the OWASP project (Heiland, Thomas,Welch & Jackson, 2013). This model classifies the
application security maturity into four business functions, namely;
Governance: this aspect outlines how the software is to be managed within the
organization
Construction: the aspect details how software applications are to be built.
Verification: outlines details of how software applications are to be tested
Deployment: specifies details on how applications are to be deployed and supported in a
production environment (Jaatun, 2015).
Figure 1.0 Overview of Open Software Assurance Maturity Model
Building Security in Maturity Model (BSIMM)
The BSIMM is a descriptive security maturity model, which consists of 12 defined practices,
which are categorized into four domains; “governance, intelligence, secure software
development lifecycle (S-SDLC) touch points, and deployments” (McGraw, 2015).
Under the Governance domain, BSIMM outlines the strategies and metrics, policies and
compliance as well as training. Under the Intelligence domain, the framework outlines the attack
models, design of security features and the required standards. On the SSDL touch points, the
model describes the architectural analysis, code review and security testing. Finally, under
deployment domain, BSIMM outlines the steps in penetration testing, the deployment software
environment, configuration and management of vulnerabilities (McGraw, Migues & West, 2015).
Building Security in Maturity Model (BSIMM)
The BSIMM is a descriptive security maturity model, which consists of 12 defined practices,
which are categorized into four domains; “governance, intelligence, secure software
development lifecycle (S-SDLC) touch points, and deployments” (McGraw, 2015).
Under the Governance domain, BSIMM outlines the strategies and metrics, policies and
compliance as well as training. Under the Intelligence domain, the framework outlines the attack
models, design of security features and the required standards. On the SSDL touch points, the
model describes the architectural analysis, code review and security testing. Finally, under
deployment domain, BSIMM outlines the steps in penetration testing, the deployment software
environment, configuration and management of vulnerabilities (McGraw, Migues & West, 2015).
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
Secure and Resilient Software Developmentlg...
|6
|1058
|185
Software Development - Business Functionlg...
|11
|1871
|17