Comparing OpenSAMM and BSIMM
OpenSAMM (Open Software Assurance Maturity Model) and BSIMM (Building Security in Maturity Model) are two open-source software security maturity models that allow for conducting a detailed, in-depth assessment of the integration of security measures into the process of software development with the purpose of determining the ways to further enhance the maturity levels of the program that is being developed (Arciniegas, 2008; Merkow & Raghavan, 2010). Both models may provide useful guidance for testing and improving the security of a program, but for certain purposes, one of the models may better serve the established goals than the other (Ransome & Misra, 2014).
On the whole, it should be stressed that while both security maturity models have a similar structure, their approaches to supplying guidelines are quite different (Ransome & Misra, 2014). More specifically, it is stated that OpenSAMM is a model which prescribes the process of security testing and of the implementation of measures (Morrow, 2016). This process consists of four main categories, each of which carries a specific business function (governance, construction, verification, and operations) and includes three main security practices that should be followed in order to ensure that the produced software remains highly secure (OpenSAMM, n.d., pp. 8-9). In contrast, BSIMM is a model that is more descriptive in nature; it was developed by such an organization as Cigital and was based on data gathered in research (Morrow, 2016). Generally speaking, BSIMM recommends that 12 different practices that are divided into four main domains (governance, intelligence, SSDL touchpoints, and deployment) are utilized so as to organize the 112 various security activities that are provided in the model to enhance the software security maturity of a program (BSIMM, n.d.).
Therefore, the two security maturity models are similar in that both of them are divided into four domains, each of which encompasses three different types of activities that should be carried out in order to ensure the security of a given program. Also, both models measure the maturity levels of a product using the scale from 1 to 3, where 1 denotes the lowest level of maturity, and 3 refers to the highest level (Morrow, 2016). It is important that subsequent levels of maturity can only be attained if all the requirements for the previous levels are met; for instance, it is impossible to obtain a score of 3 unless all the requirements for the levels 1 and 2 have been satisfied (BSIMM, n.d.; OpenSAMM, n.d.).
There are, however, some significant differences between the two models. First of all, it should be noted that the BSIMM approach supplies descriptions of 112 various activities within its 12 security practices; these are to be implemented in order to make sure that the software that is being created corresponds to the proper maturity level (BSIMM, n.d.). On the other hand, OpenSAMM features 72 activities in its 12 security practices, and reaching each of the security levels in each of the practices requires that two activities are accomplished for each of these levels in every practice (OpenSAMM, n.d.).
It is also paramount that BSIMM provides actual data analysis based on the research of security activities of firms, while OpenSAMM does not. The number of firms where the implementation of BSIMM was carried outgrows steadily, providing invaluable data about the utilization of these security practices in the real-life (Morrow, 2016).
On the other hand, OpenSAMM, being a prescriptive model, supplies a definite objective for each of the security practices and permits for evaluating the degree to which each of the objectives has been fulfilled (Morrow, 2016). This may be extremely useful for organizations that wish to have definite goals and strive towards achieving them.
Strengths and Weaknesses of Applying the Models
Generally speaking, there are several strengths to utilizing OpenSAMM for the Affordable Care Act website. With respect to the functions of the website (to provide information and assistance pertaining to health care for the population) and its operating environment, it should be noted that OpenSAMM possesses two important strengths: 1) it is simpler than BSIMM, including 72 security practices rather than 112, which makes it simpler to implement, and 2) it is flexible, so it can be used not only by small or medium but also by large organizations (Merkow & Raghavan, 2010). On the contrary, there are two important weaknesses: a) it includes no statistics gained from real-world organizations, thus remaining poorly tested; and b) it is prescriptive and requires continuous improvement over time (Merkow & Raghavan, 2010), which might be problematic for a website that might have to be completely changed if the law is amended.
On the other hand, there are several strengths of employing BSIMM for the Affordable Care Act website. For instance, 1) BSIMM is based on the data gained from a variety of organizations, which allows for the more evidence-based implementation of this security maturity model. Also, 2) because one of the functions of the ACA website is to reflect the changes in the law, it is useful that BSIMM mainly serves as an educational teaching approach, rather than a policing approach, so it allows employees to become used to adhering to software security principles rather than simply not being aware of them or ignoring them, which may be especially important if there are changes in ACA (Merkow & Raghavan, 2010; U.S. Department of Health & Human Services, 2017). However, there are also some disadvantages: a) being a descriptive approach, it does not provide specific objectives that should be met each time that the website is modified; and b) the procedure for ensuring that the requirements of BSIMM have been met are somewhat more complicated than those for OpenSAMM.
Adopting a Specific Model
On the whole, it might be recommended that BSIMM is utilized for ensuring the software security maturity of the ACA website. This is because of the advantages that BSIMM possesses when it comes to this particular situation. For instance, the fact that BSIMM provides statistics of multiple companies using this model allows for implementing the guidelines provided by BSIMM in the most effectual manner, because the peculiarities of this type of organization and this type of website will be accounted for (BSIMM, n.d.). Also, implementing BSIMM will permit the employees to participate in software development to start developing more secure programs each time the ACA changes themselves, without the need for continuous guidance (Merkow & Raghavan, 2010).
Steps for Applying BSIMM
To implement BSIMM in an organization, it is pivotal to take the following steps:
- Create a software security group (SSG) that would be responsible for finding and repairing the problems in the software security, as well as for implementing the organizational practice of adhering to the security maturity model (BSIMM, n.d.);
- Ensure that the group carries out the security practices which are recommended in BSIMM, and implements them on all the levels of the organization;
- Continuously enhance the security level of the existing software, making sure that it is regularly reviewed so as to correspond to the new security challenges that may arise over time.
References
Arciniegas, F. (2008). Maturity models. In K. Naik & P. Tripathy (Eds.), Software testing and quality assurance: Theory and practice (pp. 546-580). Hoboken, NJ: John Wiley & Sons.
BSIMM. (n.d.). Download BSIMM8. Web.
Merkow, M. S., & Raghavan, L. (2010). Secure and resilient software development. Boca Raton, FL: CRC Press.
Morrow, J. (2016). Software security maturity models – BSIMM & OpenSAMM [Blog post]. Web.
OpenSAMM. (n.d.). Software assurance maturity model. Web.
Ransome, J., & Misra, A. (2014). Core software security: Security at the source. Boca Raton, FL: CRC Press.
U.S. Department of Health & Human Services. (2017).About the Affordable Care Act. Web.