Introduction
BSIMM (Building Security in Maturity Model) and OpenSAMM (Software Assurance Maturity Model) are the two frameworks that are designed to protect certain software and are used predominately by companies or other organizations. It is essential to differentiate the given models and understand their primary functions to implement them appropriately in various situations. The following paper is intended to discuss and determine how the adoption of either BSIMM or OpenSAMM might improve an organization’s overall security posture.
OpenSAMM
It is necessary to state that there is no unique model for every company. Nevertheless, OpenSAMM is designed to assist organizations of various sizes (from small to large) as its system is flexible and gives customers an opportunity to implement it at any level of development (Merkow & Raghavan, 2010). The primary resources offered by OpenSAMM aim at the points listed below:
- Evaluation of existing software security processes used by an organization (Chandra, 2008)
- The building of properly balanced and optimized security assistance programs
- Demonstrating significant improvements to the program of security assurance
- The identification of an organization’s various activities is somehow related to software security.
OpenSAMM might contribute and improve an organization’s overall security posture by the fact that it can be implemented by an entire company, a separate business line, and even a minor individual project at the same moment (Chandra, 2008). Such activity gives workers the ability to perform their primary responsibilities without being concerned about the safety of their software or files. To obtain a better idea of the model’s philosophy, it would be proper to list the principles that were considered by people who contributed to its development, which are the following:
- The behavior of any organization has a tendency to change over time. Therefore, SAMM is designed to maintain software security for an extended period in unpredictable conditions.
- There is no design that would address the needs of every company (Mijnhardt, Baars, & Spruit, 2016). According to this statement, SAMM focuses on the flexibility of its services and gives users an opportunity to set their own standards or options.
- Every security activity must remain simple to use. This factor is sometimes crucial as users might spend more time on setting the model, instead of making it useful for their projects from the first seconds of using it.
As it is mentioned above, OpenSAMM helps different organizations to build software security assurance programs. Usually, such companies already have particular experience in this area and strive to develop new security technologies (Jaatun, Cruzes, Bernsmed, Tøndel, & Røstad, 2015). There are several roadmaps available for the discussed purposes. Choosing from them, a company might prefer using the most appropriate systems and adjust them to their needs afterward.
BSIMM
Before discussing the system and implementation of the BSIMM model, it would be proper to state that it provides approximately one hundred and thirteen activities that any organization might apply in practice. By giving more opportunities and choices to use the same model, the developer company gains authority and ensures more convenient conditions to exploit the product (McGraw, Migues, West, & Chess, 2013). However, the adoption of BSIMM is supposed to improve the overall security posture of an organization that requires it by involving its architecture group. It appears that engaging SSG (software security group) with architecture groups is beneficial because the latter team is not only responsible for security. Instead, it is responsible for decent performance, scalability, and availability.
Moreover, BSIMM employees claim that their SSG is participating in the process of software designing and provides pointers to particular middleware frameworks or common secure-by-design libraries. It would be proper to mention that the BSIMM SSG is able to solve certain problems or difficulties at the first level of any project process (McGraw et al., 2013). Such a methodology implies the elimination of various errors in the further work and functioning of any system.
It is necessary to emphasize the fact that BSIMM created and set its security standards that allow employees and developers of the company to adjust their final products to their personal requirements, which improves the quality of the provided services (Park, 2015). Also, the organization uses secure coding standards to avoid different breakages in its system that must give its customers reliable security services. Nowadays, the company’s workers study the advantages of architecture analysis that might prevent high risks in the work of various applications in the future.
Conclusion
Both Building Security In Maturity Model (BSIMM) and Open Software Assurance Maturity Model (SAMM) is designed to help different organizations keep their data and important information secure from possible side interventions. Nevertheless, every system has its advantages and disadvantages. In turn, OpenSAMM focuses on collaboration with a wide range of companies. Therefore, they try to develop such services that are flexible and can be adjusted almost to any needs of their users. On the other hand, the main goal of BSIMM is creating a reliable and high-performance security model that can accomplish any task and mission required by the organization that uses its services and offers.
References
Chandra, P. (2008). Software assurance maturity model. Software Testing and Quality Assurance, 1(1), 546-580. Web.
Jaatun, M. G., Cruzes, D. S., Bernsmed, K., Tøndel, I. A., & Røstad, L. (2015). Software security maturity in public organisations. Lecture Notes in Computer Science Information Security, 1(1), 120-138. Web.
McGraw, G., Migues, S., West, J., & Chess, B. (2013). Building security in maturity model. Web.
Merkow, M. S., & Raghavan, L. (2010). Secure and resilient software development. Boca Raton, FL: CRC Press.
Mijnhardt, F., Baars, T., & Spruit, M. (2016). Organizational characteristics influencing SME information security maturity. Journal of Computer Information Systems, 56(2), 106-115. Web.
Park, J. (2015). Security design for information protection system using BSIMM. Journal of the Korea Institute of Information Security and Cryptology, 25(6), 1541-1547. Web.