search

owaspsamm / core

Core model including reused documentation
Creative Commons Attribution Share Alike 4.0 International
88 stars 36 forks source link

Why are activities in different maturity levels independent and rated equally? #30

Open Pat-Duarte opened 3 years ago

Pat-Duarte commented 3 years ago

From what I can see in the rating calculation, it does not matter whether I have a good coverage in a level-1 activity of a specific stream, or a level-3 activity. Also, higher-level activities do not depend on lower-level activities. So, in terms of the practice rating and in terms of dependencies, the maturity levels do not look to me like actual maturity levels. This seems illogical to me, and hard to explain to a team that is assessed.

Other process maturity models define a generic maturity level for each activity, like Initial, Repeatable, Defined, Capable, Efficient in CMM. BSIMM has a system that is comparable to SAMM, but it defines a "high-water mark" system where if you do at least one activity in maturity level 3, you automatically have that level, regardless of the activities below that level.

So to me personally, the term "maturity level" is a bit misleading in SAMM, because after the rating, I cannot tell which maturity level I have in each security practice. I just get a number that is completely unrelated to maturity levels.

Any takes on this? Is there something I didn't understand correctly?

History from old repo: @thomaskonrad-sba opened this issue on Oct 15, 2020

@23bartman commented on Dec 23, 2020 Hi, thanks for you comment. You do understand the measuring correctly. In the past, SAMM used a measuring model as you described, where one needed to have all activities in underlying maturity levels before you could score on higher maturity levels. We decided to step away from this, as we encountered many situations where this would be awkward (where level 1 activities were not implemented for instance, or were decided not relevant, yet organisations were doing useful activities on higher levels). That's why we, in the end, decided to step away from these mandatory lower levels.

Between the lines, I do read that it might be useful to have different weights for different levels. We've considered this, but not implemented this so far. We might reconsider.

@23bartman 23bartman assigned SebaDele and 23bartman on Dec 23, 2020

@thomaskonrad-sba commented on Jan 4 Thanks for the explanations. I'd love to be part of such discussions. Is there a way to be part of the process?

Pat-Duarte commented 3 years ago

@thomaskonrad-sba, be a part of the conversation by joining our Slack channel (https://owasp.slack.com/messages/C0VF1EJGH). We also have monthly community calls (info on Slack).

SebaDele commented 2 days ago

reviewed and discussed during the OWASP SAMM 2024 project summit. no further action (see response Bart)