Software Assurance Maturity Model (SAMM)

In order to develop and execute an effective software security plan, businesses might use

the Software Assurance Maturity Model (SAMM). This methodology aims to address the

organization's particular software security concerns. It is possible to evaluate an organization's

current software security practises, build a balanced software security assurance programme in

well-defined iterations, demonstrate concrete improvements to a security assurance programme,

and measure the impact of security-related activities throughout an organisation with the help of

SAMM's resources. SAMM may be used by businesses of any size, regardless of the kind of

software they are developing. It's also possible to apply this concept to the whole company, or to

a single project.

For safe software development and deployment, OpenSAMM provides a road map and a

well defined maturity model. Self-evaluation and planning are other useful features of the app.

Three security practises are defined for each business function. Assurance is built into each

security practise for the specific business function that employs it. As a result, there are a total of

twelve discrete silos for improvement in the software development process that correspond to the

business functions. At the top of the SAMM hierarchical model are the important business

operations of governance, construction, verification, and deployment. It's important to remember

that governance encompasses both the interests of groups participating in growth and the

established business operations of a company. This business function is governed by strategy and

metrics, policy and compliance, and education and advice at the organisation or project level.

When it comes to software development projects, construction is all about the procedures and

activities involved in defining objectives and creating software. In general, this includes criteria

for security, a threat assessment, and a secure architectural design. There are several procedures
OPENSAMM AS AN ASSESSMENT TOOL 2

and activities that are involved in verifying the software that a business develops. Design review,

security testing, and code review are all part of this process. Software deployment is concerned

with how an organisation handles the release of software that has been generated by the

organisation. Delivering goods to end customers, deploying products to internal or external hosts

as well as typical software operations are examples of this kind.

Figure 1 depicts the OpenSAMM model. Every security goal may be quantified using

OpenSAMM, a methodology similar to CoBIT (Control Objective for Information and Related

Technology). The security operation maturity level is scaled from '0' to '3' in this model.

Operation is not implemented, '1' signifies there is not a systematic approach but basic level

application at organisation level is applied. '2' indicates that the organization's operations have

reached a sufficient degree of maturity. '3' signifies that the operation has been successfully

applied to the organisation. Project or time-based audits, according to this approach, are a good

way to increase the degree of security in a business.

OPENSAMM AS AN ASSESSMENT TOOL 3

Figure1. OpenSAMM Model adopted from Review on common criteria as a secure

software development model by Kara, M.,2012.

The Capability Maturity Model for Security System Engineering (SSE-CMM)

SSE-CMM highlights the basic elements of an engineering security process that should

be present in an organisation in order to guarantee strong security engineering practises. Security

engineering concepts may be assessed and improved via the use of this method, which focuses

on capability-based assurance. SSE-CMM offers a framework for implementing excellent

security engineering practises throughout an enterprise, but it does not identify any particular

tools or methodologies that might be utilised to achieve the stated objectives.

According to SSE-CMM, in order to carry out an activity consistently and effectively,

certain procedures must be in place. All of the goals and actions that go into these procedures are

laid out in detail in SSE-CMM. To reiterate, the real benefit of using SSE-CMM is to integrate

current processes inside the firm with those contained in the model, not to prescribe a certain

methodology or procedure. SSE-procedures CMM's may not be relevant in all settings,

depending on the aims and objectives of each company. The model's linkages between various

practises should be studied thoroughly by organisations so that their applicability can be

determined.

In the SSE-CMM paradigm, there are two parts or dimensions: domain and capability. Both

sections describe different process regions and activities. The domain-specific practises are

focused on the security domain, whereas the capability practises are more generic and may be

applied to a variety of domains. Process management and institutionalisation of capacity are

reflected in the capability dimension. The following are the domain-level process areas that

pertain to security engineering and may be further separated into three subcategories: security
OPENSAMM AS AN ASSESSMENT TOOL 4

engineering, projects, and organisational PAs. It is the goal of the SSE-CMM to enhance and

assess an organization's security engineering capacity. Using this approach, security engineers

may compare their current methods to widely recognised security engineering concepts. It is

possible to utilise this model to assess and enhance security engineering application

performance. Version 3 of the SSE-CMM has been released as an ISO standard, ISO/IEC 21827.

References

Kara, M. (2012). Review on common criteria as a secure software development

model. International Journal of Computer Science & Information Technology, 4(2), 83.

OPENSAMM AS AN ASSESSMENT TOOL 5

Pazos-Revilla, M., & Siraj, A. (2008). Tools and techniques for SSE-CMM implementation.

In The 12th World Multi-Conference on Systemics, Cybernetics and Informatics, Jointly

with ISAS.