skip to main content
10.1145/3538969.3543806acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

Security Maturity Self-Assessment Framework for Software Development Lifecycle

Published: 23 August 2022 Publication History

Editorial Notes

The authors have requested minor, non-substantive changes to the Version of Record and, in accordance with ACM policies, a Corrected Version of Record was published on August 25, 2022. For reference purposes, the VoR may still be accessed via the Supplemental Material section on this page.

Abstract

Vulnerable software often originates from insufficient attention to security in the software development lifecycle. However, current maturity models provide limited support for the teams to assess the security maturity of their software development practices.
In this paper, we propose a security maturity self-assessment framework for software development lifecycle. The proposed framework is based on three well-known and industry-accepted models that focus on increasing the security maturity of software products: OWASP DevSecOps Maturity Model (DSOMM), OWASP Software assurance Maturity Model (SAMM), and Building Security In Maturity Model (BSIMM).
The preliminary validation with software developers suggests that the proposed framework helps teams to understand the security posture of their software products and to identify which security practices need improvements.

Supplemental Material

PDF File - 3543806-vor
Version of Record for "Security Maturity Self-Assessment Framework for Software Development Lifecycle" by Brasoveanu et al., Proceedings of the 17th International Conference on Availability, Reliability and Security (ARES '22).

References

[1]
n.d. DevOps Model Defined. Retrieved June 23rd, 2022 from https://aws.amazon.com/devops/what-is-devops/
[2]
Google Cloud and DORA. 2021. Accelerate State of DevOps: 2021. Technical Report. https://services.google.com/fh/files/misc/state-of-devops-2021.pdf
[3]
Cloud Security Alliance (CSA). 2020. Cloud Controls Matrix (CCM). https://cloudsecurityalliance.org/research/cloud-controls-matrix/
[4]
IBM Cloud Education. 2021. DevSecOps. https://www.ibm.com/cloud/learn/devsecops
[5]
GitLab. 2021. A maturing DevSecOps landscape : 2021 Global DevSecOps Survey. Technical Report. https://learn.gitlab.com/c/2021-devsecops-report?x=u5RjB_
[6]
ISO/IEC. 2013. ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements. https://www.iso.org/standard/54534.html
[7]
OWASP. 2009. OWASP SAMM v1.0. https://github.com/OWASP/samm/blob/master/Supporting%20Resources/v1.0/SAMM-1.0.pdf
[8]
OWASP. 2020. OWASP SAMM v2.0. https://github.com/OWASP/samm/blob/master/Supporting%20Resources/v2.0/OWASP-SAMM-v2.0.pdf
[9]
OWASP. 2020. OWASP Software Assurance Maturity Model v2.0. https://owaspsamm.org/
[10]
Timo Pagel. 2017. OWASP DevSecOps Maturity Model. https://dsomm.timo-pagel.de/
[11]
Shirley Radack. 2009. The System Development Life Cycle (SDLC). https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=902622
[12]
Synopsys. 2020. Building Security in Maturity Model (BSIMM). https://www.bsimm.com/

Cited By

View all
  • (2024)An Empirical Study of DevSecOps Focused on Continuous Security Testing2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00074(610-617)Online publication date: 8-Jul-2024
  • (2024)Ensuring the Integrity, Confidentiality, and Availability of IoT Data in Industry 5.0: A Systematic Mapping StudyIEEE Access10.1109/ACCESS.2024.343461812(107017-107045)Online publication date: 2024
  • (2024)Identifying the primary dimensions of DevSecOpsJournal of Systems and Software10.1016/j.jss.2024.112063214:COnline publication date: 18-Jul-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security
August 2022
1371 pages
ISBN:9781450396707
DOI:10.1145/3538969
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 August 2022

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Framework
  2. Secure software development lifecycle
  3. Security Maturity

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ARES 2022

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)137
  • Downloads (Last 6 weeks)12
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)An Empirical Study of DevSecOps Focused on Continuous Security Testing2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00074(610-617)Online publication date: 8-Jul-2024
  • (2024)Ensuring the Integrity, Confidentiality, and Availability of IoT Data in Industry 5.0: A Systematic Mapping StudyIEEE Access10.1109/ACCESS.2024.343461812(107017-107045)Online publication date: 2024
  • (2024)Identifying the primary dimensions of DevSecOpsJournal of Systems and Software10.1016/j.jss.2024.112063214:COnline publication date: 18-Jul-2024
  • (2024)DevSecOps practices and toolsInternational Journal of Information Security10.1007/s10207-024-00914-z24:1Online publication date: 5-Nov-2024
  • (2023)An Exploratory Study Gathering Security Requirements for the Software Development ProcessElectronics10.3390/electronics1217359412:17(3594)Online publication date: 25-Aug-2023
  • (2023)Cybersecurity Maturity Model to Prevent Cyberattacks on Web Applications Based on ISO 27032 and NIST2023 IEEE XXX International Conference on Electronics, Electrical Engineering and Computing (INTERCON)10.1109/INTERCON59652.2023.10326028(1-8)Online publication date: 2-Nov-2023

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media