Introduction

With high-profile cyberattacks occurring around the world at an alarming rate, software developers are focusing on using software security models that can guide their organisations toward embedding secure development best practices.

Essentially, organisations can align their processes with one of two global industry standards for self-assessment and security maturity.

The first is the Building Security in Maturity Model[1], known as BSIMM (pronounced “bee-sim”). The second is the Open Worldwide Application Security Project’s Software Assurance Maturity Model[2], also known as OWASP SAMM.

The two frameworks take different approaches to helping organisations uplift their security. BSIMM acts as a descriptive model, offering a template of best practices drawn from more than 100 organisations, against which secure software initiatives (SSIs) can be compared.

SAMM, meanwhile, is prescriptive and offers paths that guide organisations toward secure software programs. What they have in common is that many organisations have found it difficult to meet either of the security models’ objectives, often despite budget increases to pursue defined security outcomes, and receiving executive buy-in for their SSIs.

With risk assessments becoming a higher priority, organisations need to take an approach with developer-driven security that actively targets developer risk management, skills enhancement and strategic repository “gatekeeping”.

Initiatives that can help them stay on course while assessing their current security levels and creating an action plan that aligns with BSIMM or OWASP SAMM.

Understanding the Maturity Models

BSIMM shows what a software security model looks like, enabling an organisation to assess the state of its current SSI, and understand how it compares to other SSIs in the industry.

Rather than being a step-by-step guide to implementing a secure model, it enables an organisation to analyse its program using real data from other organisations and benchmark performance in 12 practices over four domains: Governance, Intelligence (corporate knowledge used in performing secure activities), Secure Software Development Lifecycle (SSDL) and Deployment.

This gives teams visibility into their current state of security maturity, allowing them to develop a strategy for improvement tailored to their organisation’s processes.

OWASP SAMM is an open framework that provides defined steps organisations can take toward security maturity, though it is designed to allow organisations of any size to customise their approach. SAMM divides 12 core practices into five business functions – Governance, Design, Implementation, Verification and Operations – with each function containing two streams that are broken down into three maturity levels.

Although both BSIMM and SAMM are established frameworks, many organisations still have trouble following them and achieving intended goals, whether because of the complexity involved (particularly a problem for smaller organisations), resourcing issues, or other roadblocks to success.

Before embarking on BSIMM or SAMM, an organisation may need first to ensure that developers and security teams are ready to handle the workload and are equipped with the right tools.

Why Developer Training Is Vital

Organisations can no longer afford to have alignment with BSIMM and SAMM as just an aspirational goal. The growing spate of major breaches in recent years has underscored the importance of software security.

The US Cybersecurity and Infrastructure Security Agency (CISA) has responded with its Secure-by-Design initiative promoting secure coding along with other best practices in what is becoming a global effort.

Companies looking to get on board with Secure by Design – and doing it without compromising the speed of delivery – can begin by establishing an organisational culture that emphasises code quality, upskilling and skills verification.

Security leaders can attract both executive-level and developer support by, for example, developing security-focused career paths for developers built on agile, interactive training programs focused on writing secure code and correcting coding errors that can be introduced by open-source or third-party code, as well as coding assistants powered by artificial intelligence, which are becoming increasingly common.

It should be done as part of a security-first mindset that includes architectural oversight for the use of AI and open-source code, and the ability to perform threat modelling and other defensive procedures.

With developers under pressure to produce more code than ever before, development teams need to have a high level of security maturity to avoid rework. That necessitates having highly skilled personnel working within a strategic, prevention-focused framework.

Unfortunately, the most recent BSIMM report from Black Duck Software[3], for instance, found that there are only 3.87 AppSec professionals for every 100 developers. This doesn’t bode well for AppSec teams trying to secure an organisation’s software all on their own.

Achieving Security Maturity

Part of the challenge of meeting the goals of BSIMM and SAMM is whether organisations are prepared to meet them. Start by building a good foundation in-house with a security-first culture in which security is a business priority and nurturing security-skilled developers is prioritised.

Then, it’s important to implement a Secure-by-Design approach throughout the organisation. Doing that will generate the kind of executive and developer buy-in and support needed to really drive the effort of enhancing enterprise security maturity.

It’s clear that having developers well trained in security techniques is vital for the production of resilient code. Taking time to achieve this now can avoid significant disruption and losses in the future.

[1] https://www.blackduck.com/glossary/what-is-bsimm.html
[2] https://owasp.org/www-project-samm/
[3] https://www.blackduck.com/content/dam/black-duck/en-us/reports/bsimm-report.pdf