This post continues my 12-part series about the Software Assurance Maturity Model (SAMM). Today we will be talking about Security Requirements, the second security practice in the Construction function. Almost all software development is driven by a set of business requirements, but unfortunately security is often not factored into these requirements at the start of a project. To address this issue, analysts and managers should work to integrate Security Requirements into a development project from the beginning. Security Requirements serve as a "hook" for security: once security has been written into the requirements, it will naturally follow the development lifecycle through design, development, testing, and deployment to production.

Over the course of the next several months, this blog will explore the Software Assurance Maturity Model (SAMM) in detail. Last time, we talked about some of the many methodologies for integrating secure practices into the development cycle, but in the interest of keeping it simple we will be focusing on SAMM going forward.

First, a quick introduction to SAMM: according to its creators, SAMM is "an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization." The model is based on the following three premises, which ensure that it is realistic and flexible:

Over the last few months, this blog series has focused on the technical details of integrating security during the development phase. While this is the most critical phase, where the proverbial rubber meets the road, developers alone cannot bear the burden of producing secure code. To achieve robust security, it must be integrated into the whole software development lifecycle, from requirements to testing and beyond.

There has been a lot of work in this space recently. This post will attempt to give an overview of the various methodologies and approaches, but it is not designed to be an exhaustive list (and is shown in no particular order).