Every organization is in a different state in its maturity when it comes to software development. Some are just getting started, while others have very thorough processes in place that result in securely designed code. Maturity models provide a way for organizations to evaluate themselves against a standard benchmark and identify the next steps in evolving their software development practices. In this video, learn about two popular maturity models: the software Capability Maturity Model and the IDEAL model.
- [Instructor] Every organization is at a different state in its maturity when it comes to software development. Some are just getting started while others have very thorough processes in place that result in securely designed code. Maturity Models provide a way for organizations to evaluate themselves against a standard benchmark and identify the next steps in evolving their software development practices. The Software Engineering Institute or SEI at Carnegie Mellon University developed The Software Capability Maturity Model often referred to by the acronym SW CMM.
This model helps organizations identify where they are in the maturation process. It consists of five different levels, initial, repeatable, defined, managed and optimizing. When an organization is at level one, initial, they are just getting started with software development and typically don't have a defined software development process. They're creating software with good intentions but don't follow sound engineering practices.
The next step in an organization's development is to move to level two, repeatable. In this phase, the organization might have some basic processes such as reusing code between projects. This level gets the name repeatable because in this phase managers can begin to expect that repeatable results will come from different development projects. Some of the key activities that begin in this phase include requirements management, software project planning, software project tracking and oversight, software subcontract management, software quality assurance and software configuration management.
Level three brings an organization to the defined stage. At this point, they have formal documented practices that they follow for software development and all development efforts follow those practices. The activities in this level include organization process focus, organization process definition, training programs, integrated software management, software product engineering, intergroup coordination and conducting peer reviews.
Level four organizations are managed. They use quantitative measures to evaluate their progress and understand the effectiveness of their development practices. The activities in this phase include quantitative process management and software quality management. Finally level five organizations are optimizing. They use continuous process improvement to strive to always get better. Feedback from projects flows back into their development processes allowing the organization to improve with each project.
Practices here include defect prevention, technology change management and process change management. The Software Capability Maturity Model is just one approach to evaluating an organization's development efforts. There are others available. For example, the IDEAL Model also has five phases. Initiating, Diagnosing, Establishing, Action and Learning. This model is more focused on the process that an organization follows to improve itself.
Whatever Maturity Model you choose to use, the model can serve as a guide for continuing to improve your software development practices and better development practices lead to better security.
This course—along with the others in this nine-part series—prepare you for the CISSP exam and provide you with a solid foundation for a career in information security.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Software development methodologies
- Operation, maintenance, and change management
- Cross-site scripting
- Preventing SQL injection
- Overflow attacks
- Malicious add-ons
- Secure coding practices
- Code signing
- Risk analysis and mitigation
- Software testing
- Acquired software