Cybersecurity: Engineering a
Secure Information Technology
Organization, 1st Edition
Chapter 10
Software Assurance Maturity Model
Objectives
• Appreciate the importance of using an open
framework for implementing a security strategy
• Use the Software Assurance Maturity Model as a
basis for software assurance
• Use a scorecard approach to measure the maturity
of an organization’s software assurance program
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
2
Overview of the Software Assurance
Maturity Model
• Software assurance is the level of confidence that
software functions in the intended manner
– And is free from vulnerabilities
• Once an organization decides to meet software
assurance goals:
– The next step is to assess its current development
and procurement activities and practices
• Requires two things:
– A repeatable and objective assessment process
– A clear benchmark or target that represents a
suitable level of risk management
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
3
Understanding the SAMM Framework
• SAMM was originally developed, designed, and
written by Pravir Chandra
– First draft was created in August 2008
– First official release was in March 2009
• The document is currently maintained and updated
through the OpenSAMM Project
• The project has become part of the Open Web
Application Security Project (OWASP)
– SAMM is an open model intended to help
organizations formulate and implement a software
security strategy
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
4
Understanding the SAMM Framework
• Resources provided by SAMM help an organization
do the following:
– Evaluate its existing software security practices
– Build a balanced software security assurance
program in well-defined iterations
– Demonstrate concrete improvements to a security
assurance program
– Define and measure security activities
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
5
Understanding the SAMM Framework
• SAMM can be used by any organization
– Regardless of size or software development
methods
• The model can be used to support an entire
business or just the needs of an individual project
• The framework of SAMM maps all activities under
four business functions
– Three security practices are mapped to each
business function
• Thus, 12 security practices serve as the basis for
assurance improvement
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
6
Understanding the SAMM Framework
• The four business functions:
– Governance - includes concerns for all groups in
development as well as business processes
– Construction - encompasses processes and an
activity related to how an organization defines goals
and creates software within development projects
– Verification - contains processes and activities
related to how an organization checks and tests
errors produced during the development phase
– Deployment - contains the processes and activities
related to how an organization manages software
releases
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
7
Cybersecurity: Engineering a Secure Information
Technology Organization, 1st Edition
© Cengage Learning 2014
8
Understanding the SAMM Framework
• SAMM resembles CoBIT (Control Objective for
Information and Related Technology)
• In the CoBIT model, security operation maturity
levels take a value from 0 to 3:
– Level 0 - the operation is not applied
– Level 1 - an organization does not have a systematic
approach to security but has a basic-level
application
– Level 2 - the operation is applied at the appropriate
maturity level
– Level 3 - the operation is applied perfectly
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
9
Governance Business Function
• Governance - the process that enables people to
make decisions through chains of responsibility,
authority, and communications
• Governance also provides the ability to perform
roles using mechanisms such as policy, control,
and measurement
• Governance is not the same as management
– Although managers do make governance decisions
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
10
Governance Business Function
• Governance increases the likelihood of delivering a
successful product by asking:
– What is the scope being governed?
– Who has the governing authority and what format is
followed?
– What are the governance goals?
– What decision-making rights and communication
structure are needed?
– What policies, procedures, guidelines, controls, and
measurements should be used to attain those
goals?
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
11
Governance Business Function
• The outcome of the governance business function
provides the basis for:
– Mandating an organization’s software assurance
strategy
– Establishing metrics to measure the success of that
strategy
• Policies are developed to complement the strategy
• Audits are performed to ensure compliance with
the policies
• Education is provided to teach employees about
relevant security topics
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
12
Cybersecurity: Engineering a Secure Information
Technology Organization, 1st Edition
© Cengage Learning 2014
13
Strategy & Metrics Practice
• Strategy and metrics practice - defines an
underlying framework for an organization’s
software security assurance program
– Establishing this practice should be an
organization’s first step in defining security goals
• Protection strategies include:
– Principles enacted by policies and procedures that
state the requirements and risk tolerances for the
database
– Clear assignment of roles and responsibilities,
periodic training and financial incentives for staff
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
14
Strategy & Metrics Practice
• Protection strategies include (cont’d):
– An infrastructure architecture that fulfills security
requirements, meets risk tolerances, and
implements effective controls
– Periodic review of all new and upgraded
technologies
– Regular review and monitoring of relevant
processes, performance indicators, and performance
measures
– Regular review of new and emerging threats
– Regular audits of relevant controls
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
15
Strategy & Metrics Practice
• Effectively achieving and sustaining security is a
continuous process
• Processes to plan, monitor, review, document, and
update an organization’s security state must be
ongoing
• SAMM suggests that organizations begin by
implementing “lightweight” risk profiles
• More advanced security measures may later be
applied that gradually lead to road maps toward
greater efficiency in the security program
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
16
Policy & Compliance Practice
• Policy and compliance process has two purposes:
– To understand and meet external legal and
regulatory requirements
– To develop and implement internal security policies
to ensure alignment with the organization’s overall
mission and vision
• Requirements of this practice include audits
– To gather information about project-level activities to
ensure policy compliance
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
17
Education & Guidance Practice
• This practice ensures that the appropriate staff
receive the knowledge and resources needed to
design, develop, and deploy secure software
• Participants on project teams are better prepared
to identify and reduce or eliminate security risks
• This practice defines activities for preparing a
formal set of security guidelines as a reference for
project teams
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
18
Construction Business Function
• Construction: a business function that
encompasses more than just the activities of
software coding and testing
• Construction also includes:
– Project management, requirements gathering, highlevel architecture specification, detailed design, and
implementation
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
19
Construction Business Function
• Security practices applied at this level include:
– Threat assessment - identifies potential attacks
against the organization’s software
• To help identify risks and improve the ability to
manage them
– Security requirements - enforces the practice of
including security requirements during the software
development process
– Secure architecture - improves the software design
process by promoting secure-by-default designs and
greater control over the technologies and processes
from which software is built
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
20
Cybersecurity: Engineering a Secure Information
Technology Organization, 1st Edition
© Cengage Learning 2014
21
Threat Assessment Practice
• This practice contains activities that help an
organization identify and understand project-level
risks
– Based on the functionality of the software being
designed and developed
– Also based on the characteristics of the software’s
operating environment
• Should start with simple threat models and
gradually develop more detailed methods of threat
analysis and measurement
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
22
Security Requirements Practice
• This practice focuses on identifying and
documenting software security requirements
• Security requirements are initially gathered based
on the high-level business purpose of the software
• As the organization progresses, it can use more
advanced techniques to discover new security
requirements
– Such as access control specifications
• An organization should map its security
requirements into its relationships with suppliers
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
23
Secure Architecture Practice
• This practices defines the roles of an organization
that strives to design and build secure software as
part of its standard development process
• Some security risks can be reduced by integrating
reusable components and services into the
software design process
• By beginning with simple implementations of
software frameworks and secure design principles
– An organization naturally evolves toward consistent
use of design patterns for its security functions
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
24
Verification Business Function
• The purpose of verification is to determine whether
the products of a software activity fulfill the
requirements or conditions imposed on them in a
previous activity of the lifecycle model
• Security practices defined at this level are:
– Design review
– Code review
– Security testing
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
25
Cybersecurity: Engineering a Secure Information
Technology Organization, 1st Edition
© Cengage Learning 2014
26
Design Review Practice
• Design review defines activities that aim to identify
and assess software design and architecture for
security problems
• Activities for this practice allow an organization to
detect architecture-level issues early in software
development
– Avoiding potentially large costs from revisiting earlier
lifecycle processes as a result of security concerns
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
27
Code Review Practice
• Code review focuses on activities that are normally
performed by the programmer of a project team
• This practice emphasizes software inspection at
the source-code level
– To find security vulnerabilities
– Typically found through unit testing
• An organization uses checklists that correspond to
previously developed and documented test cases
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
28
Security Testing Practice
• Security testing focuses on inspecting software in
the runtime environment to find security problems
– Performed through penetration testing and high-level
test cases
• These activities strengthen the assurance case for
software
– By checking it under real-world conditions
• Doing so, draws attention to mistakes in business
logic that are difficult to find otherwise
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
29
Deployment Business Function
• Software deployment is a large and complex task
– Creates new challenges in the areas of release,
installation, activation, deactivation, updates, and
removal of components
• Security practices defined by SAMM’s deployment
business function:
– Vulnerability management
– Environment hardening
– Operational enablement
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
30
Cybersecurity: Engineering a Secure Information
Technology Organization, 1st Edition
© Cengage Learning 2014
31
Vulnerability Management Practice
• This practice focuses on the activities of an
organization with respect to handling vulnerability
reports and security incidents
• By having this framework in place
– Organizations can run projects more consistently
and handle security events with increased efficiency
• A key to successful vulnerability management is to
understand the roles each person plays in a
security incident
– And effectively identify and handle vulnerabilities
through reporting procedures
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
32
Environment Hardening Practice
• This practice helps an organization build assurance
for its software’s operating environment
• There is a new obstacle in building assurance into
“as-a-service” architectures
– These architectures have become popular with the
emergence of cloud computing solutions
• The best starting point for hardening the
environment is to track and distribute information to
keep development teams informed
– Use scalable methods for deploying security patches
and early-warning detectors
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
33
Operational Enablement Practice
• The focus of this practice is to keep software users
and operators informed
• It is suggested to avoid overwritten documentation
with a lot of technical jargon
• Start with simple documentation to capture the
most important details for users and operators
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
34
Applying SAMM-Getting the Job Done
• IT managers must be able to implement and
manage the success of each business function and
security practice
• Using scorecards, an organization can
demonstrate its improvement through a process of
integrating software assurance into existing
company policies and procedures
• An organization can use SAMM as a road map to
assist in building or improving a security assurance
initiative
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
35
Understanding the Maturity Levels
• Each level within the 12 security practices has an
assigned objective
– Objective is a general statement of goals for
achieving that level
• The objectives at each level are attained by
successful completion of activities defined by
SAMM
• SAMM characterizes capabilities and deliverables
as “results” obtained by achieving the given level
• SAMM provides specific example benchmarks that
it calls success metrics
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
36
Understanding the Maturity Levels
• Choices for data collection and management are
left to the organization
– The model does recommend data sources and
thresholds
• The model provides information on expenses an
organization may incur by attaining a given level
• These costs are not exhaustive
– Additional expenses are possible depending on how
the security practice is performed within the
organization
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
37
Understanding the Maturity Levels
• SAMM identifies seven IT job functions that can
affect the success of software assurance:
–
–
–
–
–
–
–
Developers
Architects
Managers
QA testers
Security auditors
Business owners
Support operations
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
38
SAMM Approach to Assessment
• To perform an assessment, an organization must
establish a set of well-defined benchmarks (or
metrics)
– And then adopt and perform a measurement
process against those benchmarks
• SAMM uses a set of predefined worksheets that
serve as a starting point for determining the
efficiency of each security practice being performed
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
39
Cybersecurity: Engineering a Secure Information
Technology Organization, 1st Edition
© Cengage Learning 2014
40
SAMM Approach to Assessment
• Each worksheet is evaluated based on one of two
recommended approaches:
– Lightweight - the worksheets are evaluated for each
practice and scores are assigned based on the
answers
– Detailed - the worksheets are evaluated for each
practice, followed by additional audits to ensure
activities defined for that practice are in place
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
41
SAMM Approach to Assessment
• An organization might fall within level 2 of a
particular practice but perform other activities that
are not substantial enough to achieve level 3
• In those cases, the score should be annotated with
a + symbol to indicate that additional assurances
are in place beyond the level obtained
• Organizations could end up with a maturity level
score of 1, 1+, 2, 2+, 3, or 3+
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
42
Using Scorecards to Measure Success
• Using interval scorecards is encouraged in several
situations, according to the 2009 version of SAMM:
– Gap analysis - capturing scores from detailed
assessments versus expected performance levels
– Demonstrating improvement - capturing scores from
before and after an iteration of the assurance
program’s roll-out
– Ongoing measurement - capturing scores over
consistent time frames for an assurance program
that is already in place
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
43
Summary
• The Software Assurance Maturity Model (SAMM) is
an open framework for formulating and implementing
a software security strategy that is specifically tailored
to an organization’s risks
• The resources provided by SAMM help an
organization evaluate its existing software security
practices, build a balanced software security
assurance program in well-defined iterations,
demonstrate concrete improvements to a security
assurance program, and define and measure security
activities throughout the organization
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
44
Summary
• SAMM was defined with flexibility in mind so it can be
used by any organization, regardless of its size or
style of software development
• A software security framework must be flexible and
allow organizations to tailor their choices based on
risk tolerance and the way they build and use
software
• Guidance related to security activities must be
prescriptive
• SAMM’s foundation is built on the core business
functions of software development and the security
practices associated with each
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
© Cengage Learning 2015
45