International standards for safe development: educational program
DevSecOps is not just a buzzword, but an entire philosophy that integrates development, security and operations. But how to put this philosophy into practice? This is where international standards come to the rescue.
In this article, we will look at the five main international DevSecOps standards: DSOMM, BSIMM, OWASP SAMM, Microsoft SDL and NIST SP 800-64. We will analyze their features, strengths and weaknesses, and also talk about how to adapt these standards to Russian realities.
Whether you work for a large corporation or a small startup, understanding these standards will help you build a safer and more efficient development process.
The article was written based on the materials of the lecture, which is included in our internship program for aspiring information security specialists in the DevSecOps stream.
In the field of secure development, there are 5 main international DevSecOps standards:
DSOMM (DevSecOps Maturity Model);
BSIMM (Building Security In Maturity Model);
OWASP SAMM (Software Assurance Maturity Model);
Microsoft SDL (Security Development Lifecycle);
NIST SP 800-64 (Security Considerations in the System Development Life Cycle).
When methodologically comparing these standards, it becomes apparent that approximately 80% of their content is common ground. However, the remaining 20% represents specific recommendations and practices that depend on the focus of the particular standard.
DSOMM
DSOMM (DevSecOps Maturity Model) is a maturity model for integrating security practices into DevSecOps processes. In other words, it is a methodology that can be used to assess the maturity level of a specific process implemented within the framework of secure development, identify pitfalls and understand how it can be improved.
This is important because DevSecOps covers not only technical but also organizational aspects. They significantly influence the effectiveness of secure development. The model helps you clearly understand how to use tools, analyze reports, and achieve your goals.
DSOMM defines five levels of maturity in different areas. He identifies the main domains, for each of which a set of mandatory practices is prescribed. Compliance with these practices allows us to assess the maturity of processes in the company at a certain level. The standard is available on the Internet: https://dsomm.owasp.org/.
DSOMM consists of sections, subsections and levels. Sections represent the main areas of work. Subsections detail each direction. Levels reflect the degree of maturity of processes.
Each level contains a requirement and its description. A requirement specifies what needs to be done. The description explains how to implement the requirement or why it is needed.
Benefits of DSOMM are that this standard is focused on integrating security into CI/CD processes. The model is aimed at automating all processes at each stage of the development life cycle.
Disadvantages of DSOMM associated with limited applicability to traditional development methodologies. Like other standards that define process maturity levels, DSOMM raises questions about the sufficiency of a particular level. Should you stay at the basic or advanced level, or strive for enterprise? Another weakness of the model is that it requires high initial investments in employee training and work process changes.
BSIMM
BSIMM (Building Security In Maturity Model) is a model for assessing the maturity of security processes. Its peculiarity is its reliance on real practices of 135 companies, and not just on theory. BSIMM allows organizations to benchmark their security processes against industry leaders.
The standard uses a graph to assess the maturity level of a company's security practices. The maturity of a particular practice is assessed on a numerical scale.
The technique involves constructing two graphs: one reflects the company’s performance, the other reflects the average statistical values for the sample. This visual representation helps you compare yourself to market leaders and determine which practices you should work on first.
Methodology published in English. In total, the standard covers 12 practices, each of which falls into one of four domains. Each practice has its own set of activities. The screenshot below is an example of activities that are included in the “Strategy and Metrics” practice (domain “Management”).
Benefits of BSIMM. The model is based on real data and can be used by companies of different sizes and from different industries.
Disadvantages of BSIMM. The standard was developed based on research from large companies with large budgets, so for early-stage startups and companies with a small market share, its full implementation may be problematic.
OWASP SAMM
OWASP SAMM (Software Assurance Maturity Model) is a framework for assessing and improving security practices in software product (SP) development. Helps identify and implement security best practices at all stages of the development lifecycle.
This standard describes the implementation of DevSecOps rather than assessing its maturity level. It offers a set of organizational and technical measures to implement secure development practices. It is more of a guideline standard adopted by the secure development community to improve the effectiveness of DevSecOps.
The standard is divided into five main areas. There are no levels, but each direction includes two streams:
Stream A is aimed at creating and promoting some kind of practice.
Stream B is aimed at change and improvement.
This structure allows companies to gradually implement and improve security practices. Stream A lays the foundation, and Stream B provides further development.
Benefits of OWASP SAMM. Flexibility and adaptability to different organizations. Clear instructions to help improve development security.
Disadvantages of OWASP SAMM. This standard may require significant initial assessment and planning efforts. Describes the ideal state, but does not define the basic level of information security in development for the initial implementation stage.
Microsoft SDL
Microsoft SDL (Security Development Lifecycle). SDL is a set of practices and processes developed by Microsoft to ensure software security throughout its lifecycle. Helps developers automate every stage of software development.
This standard is closer in content to a framework than to a set of methodologies. He tells us “how it should be” with the only difference being that most of the processes are oriented towards use in the Microsoft infrastructure. Taking into account the fact that Microsoft solutions are currently not fully represented on the Russian market, it will definitely not be possible to meet the requirements of this standard from start to finish. Therefore, companies that value compliance and comprehensive security are forced to use “crutches” to replace the usual solutions from the Microsoft portfolio.
The standard consists of 10 practice recommendations that must be followed to fully develop DevSecOps:
Establish safety standards, metrics and governance.
Demand the use of proven security features, languages, and frameworks.
Perform security design analysis and threat modeling.
Define and use cryptography standards.
Ensure the security of your software product supply chain.
Ensure the safety of the engineering environment.
Conduct security testing.
Ensure the security of the operating platform.
Implement security monitoring and response.
Provide safety training.
Benefits of Microsoft SDL. The standard is widespread, Microsoft actively supports and develops it. The methodology includes time-tested practices that Microsoft developers rely on. Each SDL step is accompanied by detailed documentation, making it easy to implement and use.
Disadvantages of Microsoft SDL. SDL is less flexible when running in non-Microsoft environments. Small companies may find it difficult to implement SDL due to its complexity and resource intensity.
NIST SP 800-64
NIST SP 800-64 (Security Considerations in the System Development Life Cycle) is a specialized document in the NIST family of standards. While NIST standards generally focus on comprehensive security, SP 800-64 focuses specifically on the secure development cycle. The document, created by the US National Institute of Standards and Technology, offers recommendations for implementing security measures at every stage of software development. These recommendations apply to both government agencies and private companies seeking to improve the security of their designs.
The standard identifies 5 stages of the development cycle. Each stage is presented in the form of a step-by-step diagram with recommendations for safety measures.
Such visualization with branching helps well to present the process and decompose it into a pipeline, taking into account the implementation or non-compliance of some recommendations, and a possible return to the previous stage.
Benefits of NIST SP 800-64. The standard offers detailed recommendations applicable to different types of systems. It covers not only information security and secure development, but also related areas. The document contains specific guidelines for ensuring the security of container infrastructure, the developer's workplace, CI/CD and other systems involved in the development process. This integrated approach allows you to create a holistic security system at all levels of development.
Disadvantages of NIST SP 800-64. Implementing the standard can be difficult for smaller organizations due to the high bureaucratic burden. Full compliance with technical requirements often requires significant financial investment. The standard requires strict implementation of all prescribed measures, which is theoretically correct, but in practice can cause difficulties. The question becomes how to effectively integrate these requirements into actual work processes without sacrificing productivity.
Comparison of standards in terms of focus
1. DSOMM (DevSecOps Maturity Model)
Purpose and approach. DSOMM focuses on integrating security into DevOps processes, with a strong focus on automation and continuous improvement.
Key Features:
Automation. Drives adoption of automated security checks into the CI/CD pipeline.
Cultural integration. Encourages a culture change within the organization where security becomes a shared responsibility of the development, operations and security teams.
Levels of maturity. Provides a maturity model for assessing and improving DevSecOps practices over time.
Advantages:
Speeds up discovery and remediation of vulnerabilities.
Promotes greater collaboration between teams.
Restrictions:
May require significant changes to processes and tools.
Requires a high level of automation and technical maturity.
2. BSIMM (Building Security In Maturity Model)
Purpose and approach. The BSIMM is based on empirical data and serves as a descriptive model that reflects actual security practices in organizations.
Key Features:
Industrial benchmarks. Allows you to compare your security practices with similar organizations in the industry.
Catalog of activities. Provides a list of over 100 specific security actions observed in successful programs.
Personalization. Helps tailor your security program by selecting the most relevant activities.
Advantages:
Based on real data and proven practices.
Offers a broad perspective on different approaches to security.
Restrictions:
The descriptive nature may make it difficult to apply without further interpretation.
Does not provide step-by-step implementation instructions.
3. OWASP SAMM (Software Assurance Maturity Model)
Goal and approach: OWASP SAMM provides a structured and step-by-step method for improving secure development processes.
Key Features:
Modular structure. Divided into business functions and security practices, allowing you to focus on specific areas.
Assessment and planning. Provides tools for assessing current status and planning improvements.
Flexibility. Adapts to various development methodologies, including Agile and Waterfall.
Advantages:
Restrictions:
May require significant resources to fully implement.
Requires the involvement of various stakeholders for effective implementation.
4. Microsoft SDL (Security Development Lifecycle)
Goal and approach: Microsoft SDL integrates security practices into every stage of the development lifecycle in an effort to reduce vulnerabilities and improve product reliability.
Key Features:
Phase approach. Includes specific security actions from planning to release.
Best practices. Includes threat modeling, secure coding standards, and security testing techniques.
Compliance. Helps comply with regulatory and industry standards.
Advantages:
Restrictions:
Originally developed for Microsoft's internal needs, may require adaptation.
Can be challenging for SMEs without adequate resources.
5. NIST SP 800-64 (Security Considerations in the System Development Life Cycle)
Purpose and approach. NIST SP 800-64 provides guidance for integrating security into information systems throughout the life cycle.
Key Features:
Risk management. Emphasizes the importance of risk management from system inception to decommissioning.
Integration into SDLC. Considers security at every stage of development, ensuring a comprehensive approach.
Applicability. Although focused on US federal systems, the principles can be applied to a variety of organizations.
Advantages:
Complies with international standards and best practices.
Assists in achieving compliance with regulatory requirements.
Restrictions:
May be too general and require additional detail for specific projects.
The focus on documentation and processes can slow down agile development methodologies.
Application of standards in the realities of the Russian market
In conclusion, I would like to note that the application of the considered standards in Russian conditions requires a conscious and thoughtful approach. They were developed without taking into account the specifics of the Russian market, which is especially noticeable when implemented in government agencies.
For example, the basic practices of the Microsoft SDL standard are certainly relevant, verification methods can also be useful, but technical implementation using Microsoft tools is often not applicable in Russian conditions.
Organizations can combine elements of different models to create the optimal security program that meets their unique needs. In domestic development, a combination of three standards is more often used: DSOMM, BSIMM and SAMM. This combination allows you to flexibly adapt the best world practices to Russian realities. Smaller companies may find it easier to start with lighter models such as OWASP SAMM, while larger enterprises may benefit from the comprehensive approaches of Microsoft SDL or NIST SP 800-64.
The NIST standard, despite its complexity, has a significant drawback for the Russian market – excessive bureaucracy. Foreign bureaucratic processes do not take root well in the Russian business environment, which makes the full implementation of this standard difficult. But BSIMM provides the opportunity to take into account industry characteristics, which is especially useful for companies operating in specific sectors of the economy.
Standards that require significant investment in resources, such as DSOMM, can be implemented in stages. This allows companies to spread costs and effort over time. Alternatively, the standard can be decomposed and only the most critical or relevant techniques can be implemented.
The implementation of the considered standards requires taking into account several key elements:
primary regulation of the process that determines the interaction between teams;
implementation of software analysis tools;
implementation of software analysis tools for the company;
building effective interaction between developers, security specialists and infrastructure;
training employees in safe development practices.
Taking these aspects into account, initial processes and regulations for safe development in a small company can be built within a year with the proper level of specialist expertise. It usually takes several months to establish interaction between the participants. Building a mature state of secure development can take up to three years, but everything is individual.
