Web application security - the fast guide 1.1 | Page 184

Chapter 9 - Secure Application Development
P a g e | 184
SSDL touch points Architecture Analysis (AA)
Code Review (CR)
Security Testing (ST)
Deployment Penetration Testing (PT)
Software Environment (SE)
Configuration Management & Vulnerability Management (CMVM)
BSIMM is similar to SAMM but it considers what called domains instead of
business functions and each domain defines a set of security practices.
Defined domains are:
 Governance: Practices that help organize, manage, and measure a
software security initiative. Staff development is also a central
governance practice
 Intelligence: Practices that result in collections of corporate knowledge
used in carrying out software security activities throughout the
organization. Collections include both proactive security guidance and
organizational threat modeling.
 SSDL touch points: Practices associated with analysis and assurance of
particular software development artifacts and processes. All software
security methodologies include these practices.
 Deployment: Practices that interface with traditional network security
and software maintenance organizations. Software configuration,
maintenance, and other environment issues have direct impact on
software security.
Unlike SAMM, BSIMM is a quantitative study built by interviewing 30 security
executives in organizations with world class security initiatives and according to
that study they identified the collective set of different activities undertaken by
organizations, and participation level for each activity.
so in time where SAMM tells you what you should do (prescriptive) BSIMM
describes what the best organization did.
Hence BSIMM calculates the maturity level depending on the coverage of specific
activities in each security practice. The following table is an example about the
list of activities defined in deployment domain, the penetration testing practice.