Web Applications are the front door of enterprises and apps are one of the top attack vectors for the attackers today. The cost of a breach, the downtime, the loss of reputation are not just the CISO’s concern but very much the concern of the board level executives of an organization.
This guide on security by FireCompass includes a holistic picture of various frameworks, architectural requirements, case study and more to assess your cyber security program in the organization.
Software Assurance Maturity Model (SAMM)
The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:
- Evaluating an organization’s existing software security practices.
- Building a balanced software security assurance program in well-defined iterations.
- Demonstrating concrete improvements to a security assurance program.
- Defining and measuring security-related activities throughout an organization.
SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. This model can be applied organization-wide, for a single line-of-business, or even for an individual project. Beyond these traits, SAMM was built on the following principles:
- An organization’s behavior changes slowly over time – A successful software security program should be specified in small iterations
that deliver tangible assurance gains while incrementally working toward long-term goals.
- There is no single recipe that works for all organizations – A software security framework must be flexible and allow organizations to
tailor their choices based on their risk tolerance and the way in which they build and use software.
- Guidance related to security activities must be prescriptive – All the steps in building and assessing an assurance program should be
simple, well-defined, and measurable. This model also provides roadmap templates for common types of organizations.
The foundation of the model is built upon the core business functions of software development with security practices tied to each .The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities in which an organization could engage to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits,
estimate personnel and other costs.
Building Security in Maturity Model (BSIMM)
The Building Security in Maturity Model (BSIMM) is the result of a multiyear study of real-world software security initiatives. We present the BSIMM8 model as built directly out of data observed in 109 software security initiatives. Seventy-two of the firms are listed in the Acknowledgments section on page 3. The BSIMM is a measuring stick for software security. The best way to use the BSIMM is to compare and contrast your own initiative with the data about what other organizations are doing contained in the model. You can then identify your own goals and objectives and refer to the BSIMM to determine which additional activities make sense for you.
The BSIMM data show that high maturity initiatives are well-rounded—carrying out numerous activities in all 12 of the practices described by the model. The model also describes how mature software security initiatives evolve, change, and improve over time.
The Cybersecurity Framework in Action: An Intel Use Case
This is a real-life case study of Intel using the NIST Framework.
The first version of the Framework was delivered on February 12, 2014, and soon thereafter Intel launched a pilot project to test the Framework’s use at Intel.Intel’s pilot project assessed cybersecurity risk for our Office and Enterprise infrastructure. We focused on developing a use case that would create a common language and encourage the use of the Framework as a process and risk management tool, rather than a set of static compliance requirements.
Measure Your Cyber Security Score For Free
Measure & benchmark your cybersecurity performance against the industry & peers. See what’s customers & attackers can easily observe about your external cybersecurity posture. It includes a cyber security portfolio analysis, application security score, SSL Score, Network Security Score, DNS Security Score, Email Security Score and Information Leaks.