[Owasp-cmm] Philosophies on Maturity Models
dan at denimgroup.com
Wed Aug 6 02:13:25 EDT 2008
2. Since I interact with lots of enterprisey types, I am also a big believer in the notion of immaturity models. For example, I would rate the Rational Unified Process as a -2 as I believe that if Grady Booch were to visit enterprises that said they were practicing it, he wouldn't even recognize it. In other words FUBAR...
From the perspective of normal software development, a failure to attain a maturity level (CMMi) will result in project delays and failures. Security is somewhat different in that a failure to attain a maturity level will likely result in opening up your organization to a breach of policies and controls (specifically security policies and controls).
Therefore the stakes are a little higher here. If you have a low CMMi level then you probably have project delays and the software you deploy doesn’t meet user needs. If you have a low security maturity rating (OWASP-CMM, OMM, ASMM, SAMM, etc) then you are more open to defeating a variety of controls your organization should have in place.
That makes an application security maturity model different in that ad hoc isn’t just the absence of good – it is to a certain degree the embodiment of bad.
Good thing I’ve never worked with an organization like that :)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-cmm