I often get asked about how to plan a roadmap for an AppSec or DevSecOps program, and this is where the concept of a maturity model came from and the main reason they exist.
What is BSIMM and OWASP SAMM?
BSIMM - Building Security In Maturity Model
OWASP SAMM (formerly OpenSAMM) - Software Assurance Maturity Model
They both came from founders that were in the same organisation (Fortify Software) and split into 2 models due to difference in opinion of how a model should be presented.
The fundamental differences
BSIMM is a reporting snapshot or statement of current state using a standard against other companies. Are you a FAANG company (Facebook, Amazon, Apple, Netflix, Google)? Then BSIMM is great for you. Everyone else measuring against them is setting themselves up using an unrealistic maturity model that doesn’t apply to them.
If you are an AppSec vendor or researcher then this is the model for you, and as a consumer of such content I find any material using BSIMM to be outstanding and helpful.
SAMM is collaborative and specific in setting goals and objectives to formulate a roadmap, assess current maturity, or provide an expectation of maturity requirements with actionable and measurable activities built in to the model.
I've used it numerous times and it has always been received well and truly made my job easy.
What are they each good for?
BSIMM can compare you to ‘best of’ organisations, SAMM can compare you easily to any other organisation where either is at any maturity.
SAMM can provide specific actionable activities for a maturity roadmap and report as often as needed, BSIMM can explain maturity in higher level language and is best suited for infrequent reporting due to the high level nature
Can they be combined?
Yes of course, but ‘Should they be combined?’ is the better question.
If the founders could not create a combined model and each knew the models very intimately, should we expect we can do better than them? Likely we think we can but in reality that would be claiming we can do better than the creators of these models and I very much do not see myself in that light and hesitate to trust anyone or small team who claims to be better than these outstanding professionals who created the models with large amounts of contributions.
Using them simultaneously, but separately, is the best approach. That way you can gain insight into the requirements for your roadmap using SAMM and have the outcomes from following past roadmap objectives baselined across the industry with BSIMM
BSIMM tells you how well or poorly you are doing compared to your peers for past AppSec activities that contributed to the current state, and that comparison is done at the resultant state and not at the level of each activity. If you are needing a strategy, or conveying one, BSIMM is a great tool.
OWASP SAMM can do the same, eventually. It is focussed more on guiding you to set the requirements and validate them for a more actionable AppSec roadmap set activities that implementers will utilise, but it lacks strategically because the AppSec program strategy would not want to get into the level of detail SAMM provides therefore SAMM can be a burden to 'bring up a level' if defining the strategy using SAMM as guidance is your goal. SAMM will be most valuable for technical teams to communicate hard AppSec topics up to broader business who may lack AppSec jargon, and provides practitioners everything they need to make good decisions that are fit for their circumstances.
Once you have identified the reason you are seeking a Maturity Model; to build out a roadmap of actionable activities, or to compare yourself against best-in-class Fortune 100 companies and at a high level make strategic decisions. Then there really is no comparison between BSIMM or SAMM, they each serve a different purpose.
If we were to use any model, the model should be the unaltered standard model that has been scrutinised by the industries best and brightest. Using an altered or combined model would not be using a standardised model, nor could it be validated as a good fit because it would no longer be a model that has been scrutinised widely and therefore have no basis for you to know if it is fit for your needs.
Such a model would be the brain child of an individual or small team, not an industry recognised standard. Stick to the unaltered models best suited to your needs.
DSOMM - Honourable Mention
Devsecops Maturity Model (DSOMM) is an OWASP project that fulfils a superset of SAMM, but also other areas outside OWASP such as ISO. It attempts to keep definitions and well understood concepts where they are already best defined to not try and redefine them. This is shown with their mapping to OWASP SAMM v2 and ISO27001:2017.