This post continues my 12-part series about the Software Assurance Maturity Model (SAMM). Today we will be talking about Design Review, the first security practice in the Verification function.

The Design Review (also called Architecture Review) is a crucial milestone in the software assurance lifecycle, providing an opportunity to spot major high-level issues early in the process when they are still relatively inexpensive to fix. It is typically conducted by security-savvy staff who are either on the project team (for large projects) or in conjunction with the project architect(s) on smaller teams.

First Maturity Level

This post continues my 12-part series about the Software Assurance Maturity Model (SAMM). Today we will be talking about Secure Architecture, the third and final security practice in the Construction function. Starting with this post, I am also changing the title naming convention to refer more generally to "software assurance" rather than "secure development." Software assurance is an industry-standard term and encompasses the full spectrum of software security activities across an organization.

This post continues my 12-part series about the Software Assurance Maturity Model (SAMM). Today we will be talking about Security Requirements, the second security practice in the Construction function. Almost all software development is driven by a set of business requirements, but unfortunately security is often not factored into these requirements at the start of a project. To address this issue, analysts and managers should work to integrate Security Requirements into a development project from the beginning. Security Requirements serve as a "hook" for security: once security has been written into the requirements, it will naturally follow the development lifecycle through design, development, testing, and deployment to production.

While the SAMM model lists Governance as the first business function, we will start with the Construction and Verification functions since they address some of the more traditional and well-known aspects of the software development lifecycle. Once we have explored these functions, the infrastructure discussed in the Deployment and Governance functions is a logical extension.

Over the course of the next several months, this blog will explore the Software Assurance Maturity Model (SAMM) in detail. Last time, we talked about some of the many methodologies for integrating secure practices into the development cycle, but in the interest of keeping it simple we will be focusing on SAMM going forward.

First, a quick introduction to SAMM: according to its creators, SAMM is "an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization." The model is based on the following three premises, which ensure that it is realistic and flexible: