Tuesday, August 05, 2008
OWASP Maturity Model
Shortly, I will be leading an effort to create a maturity model and would like to avoid worst practices such as PMP and CMMi figured I would share some things I have been noodling...
In many industries, contracts are awarded based on conformance to one or another QA standard (e.g. ISO, CMMi, etc). All such standards, at many levels go against the grain of other principles I hold such as agile software development that we need to think deeper about using maturity models as guidance vs as a form of measuring compliance.
Another challenge is with familiarity. ISO 9000 is a very familiar concept in most enterprises, yet the notion behind OWASP and secure coding are barely on the radar of most enterprises let alone pursuit of any security maturity. The key theme that we need to encourage is that maturity models are steps to climb, but more importantly, you must throw away the leader after you have reached the top.
The biggest of all challenges is that maturity models tend to come with lots of associated baggage. My thesis states that it is simply wrong to create artifacts to prove to some independent auditor that we are embracing security maturity. Do we want folks to document meeting minutes between developers talking about the finer points of cross-site scripting and SQL injection just to create evidence?
Does it make sense to create a bunch of documentation based on the off-chance an auditor will swoop in, select your particular project, spend a couple of days looking at reams of paper while ignoring the actual software and then collecting a fat paycheck seems to be diametrically opposed to the mission of making knowledge free and open.
I am thinking about asking various OWASP Chapter Leaders on the thought of having eschewing certification and instead embracing an annual OWASP award to the entity that best embraces the principles of OWASP. Maybe I can nominate Gunnar Peterson, Brian Chess, Tom Brennan, Jeremiah Grossman, Dan Blum, Brenda Michelson, Michael Cote and Bob Blakely to serve on this special committee...
| | View blog reactionsIn many industries, contracts are awarded based on conformance to one or another QA standard (e.g. ISO, CMMi, etc). All such standards, at many levels go against the grain of other principles I hold such as agile software development that we need to think deeper about using maturity models as guidance vs as a form of measuring compliance.
Another challenge is with familiarity. ISO 9000 is a very familiar concept in most enterprises, yet the notion behind OWASP and secure coding are barely on the radar of most enterprises let alone pursuit of any security maturity. The key theme that we need to encourage is that maturity models are steps to climb, but more importantly, you must throw away the leader after you have reached the top.
The biggest of all challenges is that maturity models tend to come with lots of associated baggage. My thesis states that it is simply wrong to create artifacts to prove to some independent auditor that we are embracing security maturity. Do we want folks to document meeting minutes between developers talking about the finer points of cross-site scripting and SQL injection just to create evidence?
Does it make sense to create a bunch of documentation based on the off-chance an auditor will swoop in, select your particular project, spend a couple of days looking at reams of paper while ignoring the actual software and then collecting a fat paycheck seems to be diametrically opposed to the mission of making knowledge free and open.
I am thinking about asking various OWASP Chapter Leaders on the thought of having eschewing certification and instead embracing an annual OWASP award to the entity that best embraces the principles of OWASP. Maybe I can nominate Gunnar Peterson, Brian Chess, Tom Brennan, Jeremiah Grossman, Dan Blum, Brenda Michelson, Michael Cote and Bob Blakely to serve on this special committee...
