Amid the government-led push toward more secure software design, developers and executives are focusing on established software security models, which can guide companies toward embedding secure development best practices as part of routine operations.
Organizations can align their processes with one of two global industry standards for self-assessment and security maturity—the Building Security In Maturity Model, known as BSIMM (pronounced “bee-sim”) and the Open Worldwide Application Security Project’s Software Assurance Maturity Model, aka OWASP SAMM.
The frameworks take different approaches to helping organizations uplift their security. BSIMM acts as a descriptive model, offering a template of best practices drawn from more than 100 organizations, against which you can compare your secure software initiatives (SSIs). SAMM is prescriptive, offering paths that guide organizations toward secure software programs. What they have in common is that many organizations have found it difficult to meet either of the security models’ objectives, often despite budget increases to pursue defined security outcomes, and receiving executive buy-in for their SSIs.
With risk assessments becoming a higher priority even at the executive levels, organizations need to take an approach with developer-driven security that actively targets developer risk management, skills enhancement and strategic repository “gatekeeping.” Initiatives that can help them stay on course while assessing their current security levels and creating an action plan that aligns with BSIMM or OWASP SAMM.
Know the Maturity Models
BSIMM shows you what a software security model looks like, enabling an organization to assess the state of its current SSI, understand how it compares to other SSIs in the industry and measure its progress. Rather than being a step-by-step guide to implementing a secure model, it enables an organization to analyze its program using real data from other organizations and benchmark performance in 12 practices over four domains: Governance, Intelligence (corporate knowledge used in performing secure activities), Secure Software Development Lifecycle (SSDL) and Deployment.
It gives teams visibility into their current state of security maturity, allowing them to develop a strategy for improvement tailored to their organization’s processes.
OWASP SAMM is an open framework that provides defined steps organizations can take toward security maturity, though it is designed to allow organizations of any size to customize their approach. SAMM divides 12 core practices into five business functions—Governance, Design, Implementation, Verification and Operations—with each function containing two streams that are broken down into three maturity levels.
OWASP says the solution details are simple enough even for non-security personnel to follow and don’t require that every organization achieves maximum security at every level, although at each stage it does point organizations toward the next level. SAMM helps organizations analyze their current security at any step in the process so they understand where they are in their security maturity journey.
[ Related: Learn More About Secure Software Development at CodeSecCon! ]
Although both BSIMM and SAMM are established frameworks, many organizations still have trouble following them and achieving intended goals, whether because of the complexity involved (particularly a problem for smaller organizations), resourcing issues, or other roadblocks to success. Before embarking on BSIMM or SAMM, organizations may need first to ensure that developers and security teams are ready to handle the workload, and are equipped with the right tools.
The Importance of Developer Upskilling
Organizations can no longer afford to have alignment with BSIMM and SAMM as an aspirational goal that would be nice to have someday. The growing spate of major breaches in recent years, from SolarWinds to Change Healthcare has underscored the importance of software security. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded with its Secure-by-Design initiative promoting secure coding along with other best practices in what is becoming a global effort supported by initiatives in other countries.
Companies looking to get on board with Secure by Design—and doing it without compromising the speed of delivery—can begin by establishing an organizational culture that emphasizes code quality, upskilling and skills verification. They also need to avoid the kind of restrictive environment that can develop, often unintentionally, when one person who is fully conversant with a system essentially takes control of it, managing it via their own personalized shortcuts and workarounds and preventing others from accessing and understanding the system.
Security leaders can attract both executive-level and developer support by, for example, developing security-focused career paths for developers built on agile, interactive training programs focused on writing secure code and correcting coding errors that can be introduced by open-source or third-party code, as well as coding assistants powered by artificial intelligence, which are becoming increasingly common. It should be part of a security-first mindset that includes architectural oversight for the use of AI and open-source code, and the ability to perform threat modeling and other defensive procedures.
With developers under pressure to produce more code than ever before, development teams need to have a high level of security maturity to avoid rework. That necessitates having highly skilled personnel working within a strategic, prevention-focused framework. Developer and AppSec teams must work closely together, as opposed to the old model of operating as separate entities. Today, developers need to assume a significant role in ensuring security best practices. The most recent BSIMM report from Black Duck Software, for instance, found that there are only 3.87 AppSec professionals for every 100 developers, which doesn’t bode well for AppSec teams trying to secure an organization’s software all on their own.
A critical part of learning initiatives is the ability to gauge the progress of developers in the program, both to ensure that developers are qualified to work on the organization’s most sensitive projects and to assess the effectiveness of the program. This upskilling should be ongoing, and you should always look for areas that can be improved. Making use of a tool like SCW’s Trust Score, which uses benchmarks to gauge progress both internally and against industry standards, can help ensure that progress is being made.
Lay the Foundations of Security Maturity
Part of the challenge of meeting the goals of BSIMM and SAMM is whether organizations are prepared to meet them. Start by building a good foundation in-house with a security-first culture in which security is a business priority and nurturing security-skilled developers is prioritized. Then, implement a Secure-by-Design approach throughout the organization. Doing that will generate the kind of executive and developer buy-in and support needed to really drive the effort of enhancing your enterprise security maturity, and, ultimately, managing the inherent risk introduced by a developer with low security skills and awareness.
Whether choosing to align with the descriptive BSIMM or the prescriptive SAMM, organizations can help ensure that they can achieve software security maturity by laying the groundwork within their own enterprises, making security best practices an essential part of daily routines, starting with the very first step of creating software code.
Related: Cyber Insights 2025: Open Source and Software Supply Chain Security
Related: How the Secure Development Lifecycle Can Help Protect IIoT Deployments