Security Maturity Self-Assessment Framework for Software Development Lifecycle

Abstract

Vulnerable software often originates from insufficient attention to security in the software development lifecycle. However, current maturity models provide limited support for the teams to assess the security maturity of their software development practices. In this paper, we propose a security maturity self-assessment framework for software development lifecycle. The proposed framework is based on three well-known and industry-accepted models that focus on increasing the security maturity of software products: OWASP DevSecOps Maturity Model (DSOMM), OWASP Software assurance Maturity Model (SAMM), and Building Security In Maturity Model (BSIMM). The preliminary validation with software developers suggests that the proposed framework helps teams to understand the security posture of their software products and to identify which security practices need improvements.