Software Security Maturity Assurance (SSMA) Assessment

Evaluate, implement, and improve software security practices

Next Steps:


As organizations adopt software application security best practices, such as web application penetration testing (WAPT), secure code reviews (SCR), and threat models, they often fail to realize the long- and short-term benefits of measuring and implementing an effective software security program. For example, in the short-term, finding security vulnerabilities via a WAPT can be effective at revealing web application security risks. However, what if the security vulnerabilities identified have already been discovered in previous assessments? Why are security issues recurring? If similar security vulnerabilities continue to surface, this can be a sign of poor software security processes, which are in part, becoming less cost-effective in the long term.

In such cases, organizations can seek to measure their current software security programs in an effort to improve secure software development practices. This is where McAfee Foundstone’s Software Security Maturity Assurance (SSMA) Assessment can play an instrumental role. The SSMA service helps organizations evaluate, implement, and improve current software security practices for a single project, for a business unit, or across the entire organization.

By conducting a maturity assessment, Foundstone can identify gaps and areas for process improvement. At the end of an assessment, Foundstone delivers a maturity scorecard, a project plan, and a roadmap with measurable objectives focusing on improving specific areas of the Secure Software Development Life Cycle (S-SDLC).

Foundstone’s SSMA strategic service provides:

  • Assessment of the current state of software security practices.
  • Implementation of a balanced software security assurance program in well-defined iterations.
  • Concrete improvements to a security program.
  • Help defining and measuring security-related activities throughout an organization.

Key Benefits

  • Provides a prompt health check of an organization’s current security program and practices against industry-recommended best practices.
  • Provides a quick estimate and roadmap to improve current security practices.
  • Gathers metrics and evidence to support the need for implementing a better security program.
  • Allows prioritization of the activities leading to effective risk management.


Foundstone’s methodology follows a two-step approach. It starts by understanding the maturity status of an organization’s software security practices through questionnaires, interviews, and an audit and review of the artifacts. Based on the results of the assessment, Foundstone then offers process improvement guidance and services to verify that best practices are in place and executed effectively by the organization. This guides the organization to take iterative steps to mature and strengthen business functions of software development.

Foundstone’s methodology, based on Open Software Assurance Maturity Model (SAMM), is flexible to fit organizations of all sizes and can be customized to clients’ needs. It is based on four core software development business functions — governance, construction, verification, and deployment — and focuses on 12 software security activities within an organization, including policy and compliance, security requirements, design review, and environment hardening.

Foundstone provides two assessment models to cater to your specific needs:

  • Quick health check assessment model
  • Full assessment model

The quick health check model is limited to questionnaires, a review of artifacts, and interviews. The detailed full assessment model includes an audit component. During the audit process, Foundstone consultants conduct an enterprise risk assessment in order to understand the overall business risk profile. Consultants also follow up by identifying applications that are critical to the business and should be included in an application risk portfolio. Furthermore, consultants conduct risk-based security testing such as a WAPT and secure code reviews to collect data and evidence, and build a customized software security assurance roadmap.