The maturity model is a framework that describes the different stages of organizational maturity in a particular domain, such as project management or software development.
However, not every organization needs to follow a predefined maturity model in its entirety. Instead, organizations can “right-size” the maturity model to fit their specific needs and resources. By right-sizing the maturity model, you can develop a framework that is tailored to your organization’s specific needs and goals, rather than trying to fit your organization into a predefined framework that may not be the best fit.
Software security maturity models are frameworks that provide a structured approach for organizations to evaluate and improve their software security practices. Security maturity models are frameworks that organizations can use to assess and improve their cybersecurity posture over time. Security endures a complexity that requires a systematic approach.
As with any new initiative/program, introducing security programs is extremely challenging for organizations
- First of all, an organization’s behavior changes slowly over time. Hence changes need to be smaller and iterative to take hold and make a difference.
- Secondly, there is no single recipe that works for all organizations.
- Thirdly, guidance related to security activities must be prescriptive.
More applicable software security maturity model should have the following attributes:
- Models up-to-date development practices and environments
- Readily scales from small/startup to enterprise, leaving no organization out
- Understands that required levels of maturity are contextual. Every organization needn’t strive for the highest levels in all practices
- Includes risk as a maturity driver
- Easily customized
Consider an early-stage company just starting its security journey. Typically, there will be no dedicated security department and no security team. If there is anyone whose role is committed to security, they may very well be working solo. Governance, such as it is, is often “leaders’ best effort”. So models that require a baseline application policy set at step 1, and security requirements for “all applications” to reach step 2 don’t make much sense for a startup (see https://owaspsamm.org/model/governance/policy-and-compliance/). We at Purple Book are asking ourselves, “What does such an organization need to start? And where are the most relevant next steps?”
