Software Assurance Maturity Model - opensamm.org

1 Software Assurance Maturity ModelA guide to building security into Software developmentVersion - work is licensed under the Creative Commons Attribution-Share Alike License. To view a copy of this license, visit or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, ArciniegasMatt BartoldusSebastien DeleersnyderJonathan CarterDarren ChalleyBrian ChessDinis CruzJustin DerryBart De WinJames McGovernMatteo MeucciJeff PayneGunnar PetersonJeff PiperAndy SteingrueblJohn StevenChad ThunbergColin WatsonJeff WilliamsAcknowledgementsThe Software Assurance Maturity Model (SAMM)

2 Was originally developed, designed, and written by Pravir Chandra an independent Software security consultant. Creation of the first draft was made possible through funding from Fortify Software , Inc. This document is currently maintained and updated through the OpenSAMM Project led by Pravir Chandra. Since the initial re-lease of SAMM, this project has become part of the Open Web Application Security Project (OWASP). Thanks also go to many supporting organizations that are listed on back & reviewersThis work would not be possible without the support of many individual reviewers and experts that offered contributions and critical feedback.

3 They are (in alphabetical order):For the Latest version and additionaL inFo, pLease see the project web site Open Web Application Security ProjectThe Open Web Application Security Project (OWASP) is a worldwide free and open community fo-cused on improving the security of application Software . Our mission is to make application security visible, so that people and organizations can make informed decisions about application security risks. Every- one is free to participate in OWASP and all of our materials are available under a free and open Software license.

4 The OWASP Foundation is a 501(c)3 not-for-profit charitable organization that en-sures the ongoing availability and support for our work. Visit OWASP online at is an OWASP ProjectsAMM / Software Assurance Maturity Model - SummaryBusiness FunctionsSecurity PracticesSAMM OverviewStrategy &MetricsEducation &GuidanceThreatAssessmentSecureArchitect ureSecurityRequirementsEnvironmentHarden ingOperationalEnablementVulnerabilityMan agementDesignReviewCodeReviewPolicy &ComplianceSecurityTestingGovernanceCons tructionDeploymentSoftwareDevelopmentThe Software Assurance Maturity Model (SAMM)

5 Is an open framework to help organizations for-mulate and implement a strategy for Software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in: Evaluating an organization s existing Software security practices Building a balanced Software security Assurance program in well-defined iterations Demonstrating concrete improvements to a security Assurance program Defining and measuring security-related activities throughout an organizationSAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large orga-nizations using any style of development.

6 Additionally, this Model can be applied organization-wide, for a single line-of-business, or even for an individual project. Beyond these traits, SAMM was built on the following principles: An organization s behavior changes slowly over time - A successful Software security program should be specified in small iterations that deliver tangible Assurance gains while incrementally working toward long-term goals. There is no single recipe that works for all organizations - A Software security framework must be flexible and allow organizations to tailor their choices based on their risk tolerance and the way in which they build and use Software .

7 Guidance related to security activities must be prescriptive - All the steps in building and assessing an Assurance program should be simple, well-defined, and measurable. This Model also provides roadmap templates for common types of foundation of the Model is built upon the core business functions of Software development with security practices tied to each (see diagram below). The building blocks of the Model are the three ma-turity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase Software Assurance .

8 Additional details are included to measure successful activity performance, understand the associated Assurance benefits, estimate personnel and other an open project, SAMM content shall always remain vendor-neutral and freely available for all to / Software Assurance Maturity Model - summary .. 3 UnderstAnding the Model 6 Business Functions .. 8 Governance .. 10 Construction .. 12 Verification .. 14 Deployment .. 16 Applying the Model 18 Using the Maturity Levels .. 20 Conducting Assessments.

9 21 Creating Scorecards .. 26 Building Assurance Programs .. 27 Independent Software Vendor .. 28 Online Service Provider .. 29 Financial Services Organization .. 30 Government Organization .. 31the secUrity prActices 32 Strategy & metrics .. 34 Policy & Compliance .. 38 Education & Guidance .. 42 Threat Assessment .. 46 Security Requirements .. 50 Secure Architecture .. 54 Design Analysis .. 58 Code Review .. 62 Security Testing .. 66 Vulnerability Management .. 70 Environment Hardening.

10 74 Operational Enablement .. 78cAse stUdies 82 VirtualWare .. 84sAMM / Software Assurance Maturity Model - existing Software Assurance practices 3 executive summary 8-9 Business Functions 10-11 Governance 12-13 Construction 14-15 Verification 16-17 Deployment 21-25 Conducting Assessments 26 Creating Scorecards 20 Using the Maturity Levels 34-37 Strategy & metrics 38-41 Policy & Compliance 42-45 Education & Guidance 46-49 Threat Assessment 50-53 Security Requirements 54-57 Secure Architecture 58-61 Design Review 62-65 Code Review