Application security

Software maturity models for AppSec initiatives

Susan Morrow
January 25, 2021 by
Susan Morrow


Software is on the front lines of security: a 2019 report from GitLab found that almost half of respondents deploy software on-demand or multiple times per day. This practice can lead to vulnerabilities entering production unless careful due process is followed. Using the collective knowledge of our peers, software development can be done using exemplary software security initiatives (SSI) that will help protect customers from the specter of cyberattacks.

Building a software capability maturity model can be achieved by using building blocks offered by modern software security models, such as the Building Security in Maturity Model (BSIMM) framework from Synopsys and others such as Software Assurance Maturity Model (SAMM) from OWASP.

The BSIMM 11 report

Now in its 11th year, what initiatives does the latest version of BSIMM deliver? The BSIMM is based on the real-world software security initiatives (SSI) of 130 firms. The data extracted and analyzed from the security work done by these firms act as a guidepost for your own organization’s security efforts.

The BSIMM acts to standardize against varying initiatives that use different terminology and methodologies. By standardizing, a quantifiable framework can be created that is usable by any organization. Unlike some other frameworks, such as the Cybersecurity Maturity Model Certification (CMMC), each set of initiatives within the BSIMM is made up of unique activities; each activity level is used to distinguish the relative frequency of activity used in an organization. For example, if an activity is used a lot, this will be placed in level 1. 

The BSIMM creates a set of scorecards that can be used as a guidepost or measure for your cybersecurity initiative and to help bridge gaps in your software maturity model. In this way, the BSIMM acts as a guide and as a compare and contrast template to work from.

The BSIMM11 can provide a 360-degree, almost real-time view of how these practices evolve. The tracking of SSI data across 130 companies as software portfolios grow and as they move to SaaS models, provides a key insight into what is and is not working. The trends section of the BSIMM is perhaps one of the most enlightening areas of the report.

Trending security initiative activities

A security policy must remain human-readable

BSIMM10 began to see automation replace human-driven governance activities. However, the 11th version of the report stressed the importance of this in terms of governance and response stating that: “For it (a security policy) to be an effective part of a security initiative, security policy must remain human-readable”.

Continuous defect discovery

The continuous delivery culture has resulted in the use of modern defect tools that provide continuous monitoring and reporting. The focus is on resiliency through extremely low latency and continuous detect-plan-respond.

Continuous activity

Security activities are a continuous effort covering all phases of development — this is termed “shift left” by the BSIMM authors. You shouldn’t wait to carry out a security activity; instead, as soon as an artifact is ready, a security activity should be carried out, no matter where in the software development life cycle (SDLC) this is.

Security as resilience and quality

The BSIMM notes that the trend towards resilience has been building up for some years. Organizations are being proactive, adding in security activities across the SDLC. The report pulls out SAST (static application security testing) and SCA (software composition analysis) as best practice quality assurance activities.

BSIMM11 conclusions

The BSIMM11 report provides four noteworthy conclusions, based on the trends and patterns of the data collected. These conclusions sum up the model’s application to SSIs:

  1. Engineering-led software security efforts are having success contributing to DevOps value streams in pursuit of resiliency: In particular, the BSIMM11 has found that firms are using internal talent in cloud and security and applying that expertise to general code. The BSIMM11 report also pulled out the following key point: the need to have robust risk management across all cloud provider resources (including shared resources) for all engineering teams.
  2. Software-defined security governance is no longer just aspirational: Governance-as-code is a goal that is being achieved adding in security activities to the CI/CD-pipeline-as-a-service, as well as making software delivery self-service for development teams.
  3. Security is becoming part of a quality practice, which is being recognized as part of reliability, all in pursuit of resilience: This is about bridging gaps between traditional siloed security roles and other departments. The BSIMM talks about a dedicated software security group (SSG) being responsive and working across teams. The pursuit of resiliency being as important as security in secure application development.
  4. “Shift left” is becoming “shift everywhere”: “Shift left” has been the mainstay of security software initiatives: that is, once an artifact is ready, have it reviewed. Automation is now an integral part of the CI/CD pipeline, and as such, will change the metrics of shift left to shift everywhere.

Other software maturity models

Several other software maturity models provide frameworks for general or industry-specific SSI requirements. Two well-known examples are:

OWASP Software Assurance Maturity Model (SAMM)

OWASP has developed SAMM to support the complete SDLC. SAMM is an open-source, community-led security framework, designed to be technology- and process-agnostic. The model goes back to 2009. In that time, SAMM has evolved to reflect the changing risk landscape. SAMM V2 was released in 2020 and now covers all development models, including waterfall, iterative, agile and DevOps. SAMM V2, in line with the findings from BSIMM11, also supports automation and development team workflow.

SAMM V2 is based on a set of 15 security practices grouped into five business functions. Each security practice contains two streams with a set of security activities, structured into three maturity levels (1–3). Lower maturity levels are typically easier to execute than the higher maturity levels. The basic steps of SAMM execution are:

  • Preparation
  • Assessment
  • Setting the target
  • Define the plan
  • Implementation
  • Roll-out

Each step takes you through a series of best practices and offers resources and templates to guide you through the tasks.

Cybersecurity Maturity Model Certification (CMMC)

Some software maturity models are industry specific and build certification into the remit of the model. The Cybersecurity Maturity Model Certification (CMMC) is specifically designed for DoD suppliers to demonstrate the ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Without demonstrable CMMC adherence, a DoD supplier cannot bid for DoD tenders. 

The CMMC is built upon a foundation of security requirements from NIST SP 800-171 and DFARS (Defense Federal Acquisition Regulation Supplement) clause 252.204-7012. The CMMC framework is based on five levels, each increasingly in security maturity and posture. The five levels, beginning at level 1 go from basic security hygiene through medium and good security hygiene to level 4 and 5, which is all about protecting against Advanced Persistent Threats (APTs). Certification for CMMC compliance is carried out by a Third-Party Assessment Organization (C3PAO).

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."


A robust AppSec initiative is a MUST have in a world where cybersecurity threats to data and resources only ever seem to increase. The software applications that the modern enterprise is based on are prime targets for cybercriminals intent on stealing data and/or causing serious losses through ransomware, APTs, and other cyberattacks. As this cyber-threat landscape has morphed, so too, software development methodologies like DevOps have changed the way the software development life cycle delivers, manages and maintains software.

The 2019 GitLab’s report concluded:

“The big takeaway from this survey is that early adopters of strong DevOps models experience greater security and find it easier to innovate, but barriers still prevent developers and security teams from achieving true DevSecOps.” 

Bringing great AppSec initiatives into play is a demanding job. Thankfully, the collective “hive mind” of countless information security professionals and software developers has created software maturity models and frameworks. These models, including BSIMM and SAMM, provide a way to build and deliver secure applications across the entire SDLC.



2019 Global Developer Report: DevSecOps finds security roadblocks divide teams, GitLab

The BSIMM11 has launched—don’t miss the latest findings, BSIMM

CMMC FAQ's, Office of the Under Secretary of Defense for Acquisition & Sustainment

Cybersecurity Maturity Model Certification (CMMC), Office of the Under Secretary of Defense for Acquisition & Sustainment

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, NIST

52.204-21 Basic Safeguarding of Covered Contractor Information Systems.,

The Model, SAMM

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.