How secure is SSE-CMM?
Let us cite from the SSE-CMM website:The SSE-CMM (The Systems Security Engineering Capability Maturity Model) [1] describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering. The model is intended to be used as a:
- Tool for engineering organizations to evaluate security engineering practices and define improvements to them.
- Standard mechanism for customers to evaluate a provider’s security engineering capability.
- Basis for security engineering evaluation organization (e.g., system certifiers and product evaluators) to establish organization capability-based confidences (as an ingredient to system or project security assurance).
The SSE-CMM addresses security engineering activities that span the entire trusted product or secure system life cycle, including concept definition, requirements analysis, design, development, integration, installation, operations, maintenance, and decommissioning. The SSE-CMM applies secure product developers, secure system developers and integrators, and organizations that provide security services and security engineering. The SSE-CMM applies to all types and sizes of security engineering organizations, such a commercial, government, and academic [1][2].
The SSE-CMM is structured to support a wide variety of improvement activities, including self-administered appraisals, or internal appraisals augmented by expert “facilitators” from inside or outside the organization. Although it is primarily intended for internal process improvement, the SSE-CMM can also be used to evaluate a potential vendor’s capability to perform its security engineering process.
The Problem
Main problem is that SSE-CMM deals with Security Engineering, not with Secure Software Engineering. Just a wording problem or is the SSE-CMM useless for the development of secure software?
According to [2] some goals of security engineering are to:
- Gain understanding of the security risks associated with an enterprise
- Establish a balanced set of security needs in accordance with identified risks
- Transform security needs into security guidance to be integrated into the activities of other disciplines employed on a project and into descriptions of a system configuration or operation
- Establish confidence or assurance in the correctness and effectiveness of security mechanisms
- Determine that operational impacts due to residual security vulnerabilities in a system or its operation are tolerable (acceptable risks)
- Integrate the efforts of all engineering disciplines and specialties into a combined understanding of the trustworthiness of a system
Duh…
Having a look at page 31 of [2] we can read, that SSE-CMM has an “Security engineering activities interface with many other disciplines, including… Software engineering…”.
Duh… at the same page we can read:
Note: with respect to software engineering, further information can be found in ISO/IEC 12207:1995, Information technology — Software life cycle processes, which views security from a software perspective.
As I remember ISO/IEC 12207:1995 lacks from respecting software security.
Again: this enforces new thoughts about the needs for a defined Secure Software Engineering inclusive own capability model!
References
[1] http://www.sse-cmm.org
[2] Model Description Document Version 3.0 (340 pages, 1.02 mb)
[3] The SSE-CMM Appraisal Method
Comments
One Response to “How secure is SSE-CMM?”
Leave a Reply
Thanks for sharing, I feel to get some similar issues like this article but you can perfectly express them.
Cheers,
Tanakom.
http://www.soft2secure.com/