What’s up with the other model?

A day or two back, Cigital and Fortify just released another maturity model named the Building Security In Maturity Model (BSI-MM). I’ve had lots of folks ask me about it and how it’s related to SAMM, so I figured I should write a post about it. The short answer: they’re different (BSIMM forked from the SAMM Beta). The long answer? Keep reading…

So, a long time ago in a galaxy far… ahem… actually, it was last July (2008). Brian Chess and I had a drink at RSA and discussed what I’d be doing with my time now that I’d left Cigital to start independent consulting. I was really focused on using my new found spare time to build the next revision to CLASP. In my vision (which I talked about as early as the OWASP EU conference in Milan in May of 2007), there would be a model that both demonstrated how to logically improve individual security functions over time as well as a collection of prescriptive roadmaps based on the organization type.

Brian and Fortify gave me contract to fund development of what would become the SAMM Beta. Once the Beta was complete last August, Gary McGraw (who sits on Fortify’s Technical Advisory Board) got word of SAMM and wanted to get Cigital involved. We had one meeting for Cigital to provide feedback on SAMM, but it was clear to me that they wanted to take the model in a different direction than I had wanted (lots of reasons here, but one objection I had was use of branding/marketing terminology). So, we forked.

Gary, Brian, and Sammy (and maybe others) massaged the high-level framework from SAMM into what they call their Software Security Framework (SSF). They took this out to 9 big companies with advanced secure development practices to get feedback on what those companies are actually doing. Though I really liked the idea of collecting that data, I wasn’t involved at all. Based on what they learned from SAMM and what they heard from those 9, they created the BSI-MM. So, even though the models may seem similar in structure, they’re different in terms of content.

Just as a disclaimer on the current state of things, I have not worked with the folks at Cigital, but I’m still actively collaborating with folks at Fortify who are supporting both models (and maybe others too!). If folks are interested, I’ll write up more about SAMM vs. BSI-MM once the next release of SAMM comes out next week.


  1. #1 by R. Stevens - March 9th, 2009 at 03:42

    I am confused, how can a model be vendor neutral if from it’s infancy was funded by one of the vendors in this space “Fortify”.

  2. #2 by chandra - March 9th, 2009 at 08:40

    Good question. Even though it was funded by a vendor, it was built independently based on the collected experiences of myself and several other smart folks.
    We used no commercial proprietary terms and pay particular attention to language to make sure there was nothing slanted for (or against) any product or services vendor out there. But you be the judge for yourself — if you see anything proprietary or slanted in SAMM, point it out and we’ll fix it.

  3. #3 by cmlh - September 5th, 2010 at 16:55

    Justin Derry and I are presenting on OpenSAMM vs BSIMM1/2 in Sydney, Australia on 6 Oct 2010 – Further information at http://www.aisa.org.au/index.php?page=281 and http://events.linkedin.com/AISA-Sydney-Application-Security/pub/408209

    Can you let me know if you would be interested in allowing the differences with BSIMM1/2 be contributed back to OpenSAMM rather then having you do this yourself?

  4. #4 by Pravir Chandra - September 11th, 2010 at 01:23

    That would be great if you guys wanted to write it up! Feel free to send drafts or ask questions on the mailing list, and we’ll figure it out from there.

(will not be published)

  1. No trackbacks yet.