Tuesday, August 24, 2010

Software Assurance Maturity Model (SAMM)

I just finished a (quick) read of the Software Assurance Maturity Model (SAMM). SAMM is a product of OWASP and is a freely-available model for software security. The specific version I read was the latest at this time, which is 1.0.

Frankly I was very impressed with the document. It is professionally laid out and obviously a lot of work has gone into not only the content but the presentation. One thing that struck me as a nice touch was the three "maps" (my term) through the document on page 5, which should you which sections to read or skim to accomplish specific goals. It's a 96 page document, but is organized nicely so you can skim it quickly and find specific sections easily.

The document defines a what seems to be a the most thorough model I've come across. It starts with four business functions: Governance, Construction, Verification and Deployment. Under each of these it defines three security practices and then three levels of maturity for each practice. It then goes into depth on what each level for each practice entails and what benefits result. While this seems like a lot, I think it's always good to know what you don't know and a complete model helps do that. The different levels would be useful for laying out a roadmap for getting to whatever level is appropriate.

It concludes with a case study giving a narrative of a company (VirtualWare, which seems to be modeled on a real company with a similar name) adopting a software assurance program for a new web-based product. The company starts with no assurance program and the case study discusses a four phase implementation strategy.

All together, a good document. Worth a read for anyone interested in software assurance and certainly something to consider for developing an assurance program.