Building Trust in the Security of Software
As maturity models have multiplied without number, two basic architectures have emerged, process-based and organizationally-based. Organizationally-based models roughly follow the architecture of the original CMM as outlined above. A maturity level is assigned to an organization when it has implemented the practices comprising that level( see VDA Working Group [ 18 ]). Thus, the maturity level rating represents an organization’ s capability for achieving the results enabled by practices at that maturity level.
In contrast, process-based models rate the maturity of each individual process or practice. Organizations have practices rated at a range of levels. Thus, the maturity rating describes the capability of a process or practice to achieve results enabled by that implementation of a practice. However, it does not imply that the organization is capable of delivering results at the same level.
That is, the performance of a development cycle with many high maturity processes and practices can be undermined by one or more immature processes or practices. This is especially true for security practices where one immature practice can enable unauthorized access. An organization is at the mercy of practices with the lowest maturity. When using process-based maturity models, organizations need to create a profile of the maturity required of each practice in order to achieve the level of security risk they can tolerate.
Organizations such as Raytheon [ 7 ] and Telcordia Technologies [ 15 ] have shown dramatic improvements in productivity and product quality as the maturity of their practices improved. Use of maturity models to guide improvement has diminished over the last decade as the models became bloated with practices, especially what CMMI called‘ generic practices,’ which were institutionalization practices applied to every area of processes creating bureaucracy. Nevertheless, when designed with a limited focus on essential practices for achieving the model’ s objectives, maturity models have proven empirically to produce excellent results [ 8 ].
2.3 COMPLIANCE SYNDROME AND CULTURE
One danger with process level improvement programs is falling into a‘ compliance syndrome.’ Under this syndrome practices are performed because they are required, and their performance is almost robotic. A related problem occurs when compliance is not validated by demonstrating improved results. If focus is placed on how practices are improving results rather than on compliance, the culture changes and the practices become‘ our way of doing things.’
Organizations that have taken maturity growth seriously, have seen their culture change simultaneously with their results. At Level 2, culture is local since practices can differ across projects that have become stable. It is at Level 3 that an organizational culture emerges expedited by standard, organization-wide processes that produce improved results. The higher maturity levels are where a culture of excellence emerges based on optimizing and innovating practices for continual improvement. One result enabled is much more secure software systems. Level 5 organizations have reported dramatic reductions in weaknesses, with Space Shuttle’ s Primary Avionics Software System reporting less than 1 weakness per KLOC [ 14 ].
Journal of Innovation 7