Security Innovation is very excited to be part of the consortium of AppSec vendors that are working to create a dataset of organizational security maturities.
I’m personally very excited because I’ve been living and breathing Secure Software Development Lifecycles (SSDLC) for the past two years and having a method for a company to benchmark its SSDLC against comparable organizations can help me show our clients how their peers are investing in improving their security posture.
By using the Open Software Assurance Maturity Model (OpenSAMM), we settle on a widely respected standard that is applicable to many industries.
Security Innovation has been conducting SDLC Gap Analyses for a long time now, and we’ve developed our own AppSec maturity model based on two factors:
- The industry recognized levels of the Capability Maturity Model Integration (CMMI)
- Our own extensive experience of what works
We’ve identified the best practices and security engineering activities that provide the most ROI and the OpenSAMM security practices align very well with our own recommendations.
The OpenSAMM guide came out in 2009, and it’s starting to feel a little dated… especially in regards to the cloud and mobile space. Despite these limitations, it’s stood up well and has provided excellent guidance for any organization trying to take their software security process to the next level. On top of that, the upcoming newest version of the OpenSAMM, version 1.1, looks very promising in addressing many of the new directions that the software industry has taken in the past few years.
I’m certain that the new version will be even better due to the extensive software security experience of OWASP (and others) in improving what’s already a lightweight, actionable, and effective guide.
We are already working with a number of our clients to update our previous SDLC Gap Analyses and anonymize their data for inclusion into the OpenSAMM dataset… but for companies that can’t wait, there will be a self-assessment mechanism to get your own data into the database soon.