Cybersecurity (or just security) is a topic that is on every company’s agenda. Even for industries only remotely-related to the internet (e.g., vehicle manufacturing) employing a full-time cybersec team is a must. However security is such a monumentally complex matter that even the champions like Google and Apple don’t always get it right. Still, security (at least software security) is actually a scientific discipline. Hence, getting it right is a matter of a methodological approach.
If you have no clue about software security the number one phrase to remember is security is a journey, not a destination. Nothing is 100% secure and it’s all about threat, risks and impact. However that is not the story you are looking to tell your customers. Practically, you’d like to claim that your software system (and your organization) is more secure than that of your competitors. So how do you do that?
- How do you as good as it gets in software security?
- How do you claim that your product (and organization) is more secure than that of the competition?
Ransomware, supply chain attacks and zero-day vulnerabilities are the most common buzzwords. Yet they are as relevant to software security as a mask is to the Covid pandemic.
The good news: all you need to go from zero to hero in software security is there. Software Assurance Maturity Model (SAMM) is the OWASP framework to help organizations assess, formulate, and implement a strategy for software security, that can be integrated into their existing Software Development Lifecycle (SDLC). SAMM covers the complete spectrum of software security from A to Z, от А до Я, Ա մինչեւ Ֆ (or any other alphabet of your liking). SAMM is nothing short of a job description for your organization’s CISO / CTO.
The bad news: going from zero to hero even with SAMM is still a challenge. There are 5 business functions, 3 security practices per business function, 2 streams and 3 maturity levels. In other words to be a hero you might need to cover 90 activities some of which might take several man-months or even years. However that is the harsh reality behind becoming a champion in software security. The scope is immense and that is precisely why SAMM provides a framework to plan and build your improvement strategy in small and prioritized increments.
SAMM is the software security bible
We obviously strongly believe in SAMM and this is why we have started developing a SAMM supporting toolset. SAMMY is a platform to help organizations implement their security assurance program. SAMMY introduces a number of our own process flavors to SAMM:
- Highlighting streams and security practices as first-class citizens.
- Hiding higher maturity levels if the organization is not there yet.
- Focus on evidence to prove the score at a given maturity level for a given stream.
- Growth score per stream / security practice to further stress the tailored approach behind SAMM.
- Gamification as to provide additional incentive to all users within an organization to get involved in software security.
Here is a brief walkthrough of SAMMY. We would love to hear your feedback and if you are interested in trying out a beta please contact us at sammy [at] codific.com