Building Trust in the Security of Software
This article will show how the weaknesses in ISO / IEC 5055 can be used in conjunction with several of these certification approaches to increase the security of a software system. It will present empirical data from analyzing Security weaknesses in a global sample of 2,505 software systems from the Appmarq repository maintained by CAST. A more complete description of this repository and its data are presented in Annex B.
2 TRUSTING THE PROCESS
2.1 PROCESS STANDARDS
There are numerous standards for evaluating whether an organization can secure its information or produce secure products. Among the most prominent process-based standards for certifying an organization’ s capability for producing secure software systems are:
• ISO / IEC 27001:2022 – Information Security Management
• NIST National Cybersecurity Framework 2.0( 2024) & Secure Software Development Framework( SSDF, 2022)
• Capability Maturity Model Integration( CMMI, Chrissis, et al., 2011) [ 3 ]
• ISO / IEC 33001:2015 & Automotive SPICE v. 4( VDA Working Group 13, 2023) [ 18 ]
• OWASP Software Assurance Maturity Model, Version 2( OWASP SAMM v2) [ 13 ]
• Building Security In Maturity Model( Black Duck, 2025) [ 1 ]
• Cybersecurity Maturity Model Certification( Department of Defense, 2024)
The first two frameworks provide general guidance on establishing an organizational capability for protecting confidential information and managing the information infrastructure. As shown in Table 2-1 there are several opportunities in NIST’ s National Cybersecurity Framework( 2024) to integrate the use of weaknesses and measures in ISO / IEC 5055 into framework processes.
4 May 2025