Any organisation that creates or maintains digital products as part of its business operations should be concerned with software security.
In the past, security in software involved designing, building and testing — at which point security testing would be undertaken before go live.
With faster deployment cycles and shorter time-to-value for customers brought on through Lean, Agile and DevOps approaches, the security during testing phase is no longer feasible.
Organisations must shift security left (in fact shift security everywhere) in order to build in security into every step of the product lifecycle.
Two popular frameworks that are useful to consider as a starting point for implementing a Secure Software Initiative (SSI) are OWASP’s Security Assurance Maturity Model (SAMM) and Synopsys’ Building Security In Maturity Model (BSIMM).
SAMM
OpenSAMM provides a prescriptive approach that you can use to in effect get started right away.
It consists of 15 security practices split into 5 functions that represent activities that any organisation involved in software creation or maintenance will undoubtedly undertake.
OpenSAMM also has within the principles, three maturity levels which organisations can use to build and evolve their SSI.
BSIMM
BSIMM on the other hand is based on experiences and practices of organisations in the field who have been effective in implementing SSIs.
BSIMM began in late 2008 when application security specialists got together to research, analyse and publish their findings about how these organisations approach SSIs.
That approach has continued and today BSIMM is made up of the collective experience and practice of over 130 organisations’ approach to SSI.
BSIMM consists of 12 practices split into 4 domains. Each practice has activities that can be adopted. The current total of activities is 125.
BSIMM is updated frequently and a report published annually. The current iteration is BSIMM13.
These two approaches are an excellent starting point for further investigation when adopting or enhancing a software security initiative.