Introduction
There is a need to properly address customers’ wishes while developing software. The customers’ needs are constantly evolving; hence it is common practice to address these needs first. However, this could potentially lead to disastrous consequences as security measures are placed as the second priority. Therefore, leading IT companies that specialize in software development incorporate the development of security measures simultaneously with the development of the software (Johnson, 2020). The importance of such practices is enormous as they drastically reduce the chances of a data breach, which on average results in a 150-million-dollar loss for the companies.
In order to prevent the occurrence of similar liabilities, it is necessary to enter Capability Maturity Model Integration (CMMI). CMMI is a framework utilized for the integration of security in the process of software development. The framework was created by Carnegie Mellon University as per request from the U.S. Department of Defense as a means to identify the organization’s maturity in its processes (Maymi & Harris, 2018). The companies which use this framework may benefit from access to third-party assessors who will ensure adherence to the CMMI’s guidelines. Consequently, the implication of the CMMI framework would contribute to the development of trust with the customer and improve the customer’s willingness to search for our services.
Analysis
CMMI incorporates a comprehensive framework of guidelines that tries to identify and address the issue of software security in every phase which follows the product development. These phases consist of concept definition, analysis of the requirements, design, development, integration, installation, operations, and maintenance. “The crux of CMMI is to develop structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes and security posture” (Maymi & Harris, 2018). In addition, CMMI allows some degree of freedom in organization development approaches as it does not specify systemic steps for implementation of the model practices (Ayyagari & Atoum, 2019). CMMI has several categories dedicated to specific needs such as services, categories, and development.
The latest version of CMMI for development has five maturity levels of a maturity process that are built upon each other: Initial; Managed; Defined; Quantitatively Managed; Optimizing (Ayyagari & Atoum, 2019). This way, CMMI ensures the incorporation of certain features (security measures) into each step of the development and allows organizations to pursue improvement in their respective steps.
Main Points of Maturity Levels
- Initial:
- The Initial level can be characterized as unpredictable and poorly managed, where the success is dependent on the employees’ achievements.
- In other words, “there are no process areas” (Ayyagari & Atoum, 2019, p. 446).
- The processes are usually ad hoc and chaotic” (Ayyagari & Atoum, 2019, p. 446).
- Managed:
- The Managed level follows a process based on individual projects with a standardized management structure in software development and guidelines for changing processes and quality assurance (Maymi & Harris, 2018).
- Hence, the company has the ability to repeat the processes with success.
- However, at this level of maturity, the company might lack formal iteration processes and order of execution.
- Defined:
- The companies on the Defined level incorporate proactive processes for product engineering (Maymi & Harris, 2018).
- Standard procedures are properly documented, and each phase of program development is defined.
- The company is able to assess the results from successive projects and evolve from the lessons learned.
- Quantitatively Managed:
- The Quantitatively Managed level companies deploy analytical tools for specific processes.
- These companies employ formal procedures for the collection and analysis of the data from each iteration of software development.
- The companies at this level use specific metrics to ensure the incorporation of developments made in previous iterations (Maymi & Harris, 2018).
- Optimizing:
- Optimizing level organizations are focused on continuous improvement.
- They are building upon the Quantitatively Managed level.
- These organizations dedicate a functional operating budget.
Summary
In summary, the need for security improvement and implementation of relevant frameworks is essential for the contemporary era. The issue is arguably on the level of national importance due to the vast amount of proprietary data, trade secrets, and the intellectual property involved. The prolonged deployment of vulnerable software products, which involved reduced costs of meeting basic RFP requirements, is an urgent issue to be resolved today.
There is no need to identify the scapegoat to blame for the increasing number of data leaks. As per this brief, it is evident that the companies and software engineers have a fiduciary responsibility to ensure security associated with the products’ utilization. Furthermore, the Capability Maturity Model Integration process could become a viable preventive measure against possible security breaches and more. Subsequently, it would be recommended for the companies evaluating RFP submissions in the field of software development to require a third-party assessment of the respondents’ CMMI compliance.
As was previously discussed, CMMI provides a framework for the application of security controls into the product development processes of the companies. The integration of vulnerability functions could provide a cohesive and timely concept definition of the vulnerability response and security during the phase of maintenance (Scimone, 2021). The organizations which implemented the CMMI have experienced the improvement in productivity, quality, and cycle time, along with increased accuracy and predictability of schedules and budgets (Ayyagari & Atoum, 2019). CMMI, in combination with third-party testing, offers a valid approach that ensures the integration of solid security controls into the development processes.
References
Ayyagari, R. M., & Atoum, I. (2019). CMMI-DEV implementation simplified. International Journal of Advanced Computer Science and Applications, 10(4), 445-459.
Johnson, M. (2020). The importance of security in software development. Latest Hacking News. Web.
Maymi, F., & Harris, S. (2018). CISSP all-in-one exam guide. McGraw-Hill education.
Scimone, J. (2021). When product security and cybersecurity converge: A Cso’s perspective on how security organizations can thrive. Security Magazine RSS. Web.