Web application security - the fast guide 1.1 | Page 183
Chapter 9 - Secure Application Development
P a g e | 183
SAMM relates security practices to one of the different business function where
four business functions were defined:
Governance: how an organization manages overall software development
activities. More specifically, this includes concerns that people involved in
development as well as business processes that are established at the
organization level.
Construction: processes and activities related to how an organization defnes
goals
and
creates software within development projects. In general, this will include
product management, requirements gathering, high-level architecture
specification, detailed design, and implementation.
Verification: processes and activities related to how an organization checks and
tests
artifacts produced throughout software development.
Deployment: processes and activities related to how an organization manages
release
of
software that has been created. This can involve shipping products to end users,
deploying products to internal or external hosts, and normal operations of
software in the runtime environment.
Each of the twelve Security practices attached to business functions has three
levels of maturity with additional zero level. Maturity levels are as follow:
0
1
2
implicit starting point representing the activities in the Practice being
unfulfilled
Initial understanding and ad hoc provision of Security Practice
Increase efficiency and/or effectiveness of the Security Practice
Comprehensive mastery of the Security Practice at scale
3
The model also describes for each maturity level in the Security practice a
set of objectives and activities to help deciding if the maturity level is covered or
not.
For more comprehensive reference on SAMM please refer to the document titled
(SAMM-1.0) in supplementary materials.
9.7 Building security in maturity model (BSIMM):
Governance
Intelligence
Strategy Metrics(SM)
Compliance and Policy (CP)
Training (T)
Attack models (AM)
Security Features and Design (SFD)
Standard and Requirement (SD)