This preview shows page 1. Sign up to view the full content.
Unformatted text preview: d-out of an assurance program is simple. An organization begins an improvement phases and
works to achieve the stated Levels by performing the prescribed
Activities. At the end of the phase, the roadmap should be adjusted
based on what was actually accomplished, and then the next phase
can begin. Education &
Guidance E Roadmaps (pictured to the right) consist of phases (the vertical
bars) in which several Practices are each improved by one Level.
Therefore, building a roadmap entails selection of which Practices
to improve in each planned phase. Organizations are free to plan
into the future as far as they wish, but are encouraged to iterate
based on business drivers and organization-specific information to
ensure the assurance goals are commensurate with their business
goals and risk tolerance. Policy &
Compliance PL Several roadmap templates for common types of organizations
are provided. Thus, many organizations can choose an appropriate
match and then tailor the roadmap template to their needs. For
other types of organizations, it may be necessary to build a custom
roadmap. Strategy &
Metrics AM One of the main uses of SAMM is to help organizations build software security assurance programs. That process is straightforward,
and generally begins with an assessment if the organization is already performing some security assurance activities. Code
Review yes Select
no Done yes
improve Mark selected
on roadmap Adjust
Enablement SAMM / Applying the Model - v1.0 Adding
phase? 27 Independent Software Vendor
Roadmap template Rationale
Metrics Policy &
Compliance Education &
Review SAMM / Applying the Model - v1.0 Security
Testing 28 Vulnerability
Enablement An Independent Software Vendor involves the core business function of building and selling software components and applications.
Initial drivers to limit common vulnerabilities affecting customers
and users leads to early concentration on Code Review and Security Testing activities.
Shifting toward more proactive prevention of security errors in
product specification, an organization adds activities for Security
Requirements over time.
Also, to minimize the impact from any discovered security issues,
the organization ramps up Vulnerability Management activities over
As the organization matures, knowledge transfer activities from
Operational Enablement are added to better inform customers and
users about secure operation of the software. Additional Considerations
For organizations using external development resources, restrictions on code access typically leads to prioritization of Security
Requirements activities instead of Code Review activities. Additionally, advancing Threat Assessment in earlier phases would allow
the organization to better clarify secur...
View Full Document
- Spring '14