Implementing 5 levels of Capability Maturity Model (CMM) for Secure Software Development Life Cycle (SSDLC)
Jamil Ahmed
Fortis GamesSenior Application Security Engineer
Abstract
Capability Maturity Model (CMM)
The Capability Maturity Model (CMM) has advanced to effectively evaluate the maturity of software and the Software Development Life Cycle (SDLC). While the importance of CMM for SDLC is clear, a functional CMM specifically designed for the Secure Software Development Lifecycle (SSDLC) across all five levels is not widely recognized nor adopted within the application security community and software engineering teams.
CMM aims to assess an organization’s capabilities through five levels: Initial, Managed, Defined, Quantitatively Managed, and Optimized.
Origin
OWASP Software Assurance Maturity Model (SAMM) is the relevant CMM to SSDLC. I have devised a functional CMM for SSDLC based on SAMM. This maturity model is devised around important security domains of SSDLC. Although, SAMM provides a good foundation, it is limited to 3 levels. The proposed maturity model of this talk is comprised of 5 typical levels of CMM.
Objective
Shifting left is crucial for improving the security posture of an organization’s software development processes. Therefore, it is essential that the CMM for SSDLC supports the shift-left approach at each of its five levels. As organizations progress to higher maturity levels, they need to implement more shift-left practices.
Security Domains and Categories
The maturity model organizes Secure Software Development Lifecycle (SSDLC) practices into nine major security domains i.e. Security Policy and Standards, Security Role and Culture, Security Training, Asset Inventory, Application Architecture Assessment, Building Source Code, Secure Deployment, Dynamic Application Scanning, Security Testing.
The full model includes descriptions, criteria, and guidelines for achieving these criteria at each of the five levels.
In the talk, I will share the complete maturity model.