SAMM Overview

We use the Software Assurance Maturity Model (SAMM) framework as a common lexicon for describing the core business functions of software development and the common security practices tied to each function. The following are definitions for the core business functions and common security practices of SAMM:

   

Governance

is centered on the processes and activities related to how an organization manages overall software development activities. More specifically, this includes concerns that cross-cut groups involved in development as well as business processes that are established at the organization level.

Strategy & Metrics

involves the overall strategic direction of the software assurance program and instrumentation of processes and activities to collect metrics about an organization’s security posture.

Policy & Compliance

involves setting up a security and compliance control and audit framework throughout an organization to achieve increased assurance in software under construction and in operation.

Education & Guidance

involves increasing security knowledge amongst personnel in software development through training and guidance on security topics relevant to individual job functions.

---

Construction

concerns the processes and activities related to how an organization defines goals and creates software within development projects. In general, this will include product management, requirements gathering, high-level architecture specification, detailed design, and implementation.

Threat Assessment

involves accurately identifying and characterizing potential attacks upon an organization’s software in order to better understand the risks and facilitate risk management.

Security Requirements

involves promoting the inclusion of security-related requirements during the software development process in order to specify correct functionality from inception.

Secure Architecture

involves bolstering the design process with activities to promote secure-by-default designs and control over technologies and frameworks upon which software is built.

---

Verification

is focused on the processes and activities related to how an organization checks and tests artifacts produced throughout software development. This typically includes quality assurance work such as testing, but it can also include other review and evaluation activities.

Design Review

involves inspection of the artifacts created from the design process to ensure provision of adequate security mechanisms and adherence to an organization’s expectations for security.

Code Review

involves assessment of an organization’s source code to aid vulnerability discovery and related mitigation activities as well as establish a baseline for secure coding expectations.

Security Testing

involves testing the organization’s software in its runtime environment in order to both discover vulnerabilities and establish a minimum standard for software releases.

---

Deployment

entails the processes and activities related to how an organization manages release of software that has been created. This can involve shipping products to end users, deploying products to internal or external hosts, and normal operations of software in the runtime environment.

Vulnerability Management

involves establishing consistent processes for managing internal and external vulnerability reports to limit exposure and gather data to enhance the security assurance program.

Environment Hardening

involves implementing controls for the operating environment surrounding an organization’s software to bolster the security posture of applications that have been deployed.

Operational Enablement

involves identifying and capturing security-relevant information needed by an operator to properly configure, deploy, and run an organization’s software.