Home
Browse frameworks
Contact us
SAMMY premium
Login
SAMMY UI is optimized for resolutions with a width 1024px and higher.
NIST SSDF
Browse NIST SSDF
SAMM
OpenSAMM1.5
Cybersecurity Fundamentals
NIST CSF 2.0
NIST SSDF
NIST 800-34
DSOMM
BSIMM 14
ISO 27001:2022 CMMI
CIS Critical Security Controls
Prepare the Organization
Define Security Requirements for Software Development
Implement Roles and Responsibilities
Implement Supporting Toolchains
Define and Use Criteria for Software Security Checks
Implement and Maintain Secure Environments for Software Development
Protect Software
Protect All Forms of Code from Unauthorized Access and Tampering
Provide a Mechanism for Verifying Software Release Integrity
Archive and Protect Each Software Release
Produce Well-Secured Software
Design Software to Meet Security Requirements and Mitigate Security Risks
Review the Software Design to Verify Compliance with Security Requirements and Risk Information
Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality
Create Source Code by Adhering to Secure Coding Practices
Configure the Compilation, Interpreter, and Build Processes to Improve Executable Security
Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements
Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements
Configure Software to Have Secure Settings by Default
Respond to Vulnerabilities
Identify and Confirm Vulnerabilities on an Ongoing Basis
Assess, Prioritize, and Remediate Vulnerabilities
Analyze Vulnerabilities to Identify Their Root Causes
RV.3.1: Root Cause Determination
RV.3.2: Root Cause Correlation
RV.3.3: Systematic Vulnerability Eradication
RV.3.4: Vulnerability Prevention
Root Cause Determination
RV.3.1: Analyze identified vulnerabilities to determine their root causes.
Example 1: Record the root cause of discovered issues.
Example 2: Record lessons learned through root cause analysis in a wiki that developers can access and search.
CMMI Maturity
Not Applicable - Not applicable
Level 1: Initial - Unpredictable and reactive. Work gets completed but is often delayed and over budget.
Level 2: Managed - Managed on the project level. Projects are planned, performed, measured, and controlled.
Level 3: Defined - Proactive, rather than reactive. Organization-wide standards provide guidance across projects, programs, and portfolios.
Level 4: Quantitatively Managed - Measured and controlled. Organization is data-driven with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders.
Level 5: Optimized - Stable and flexible. Organization is focused on continuous improvement and is built to pivot and respond to opportunity and change. The organization’s stability provides a platform for agility and innovation.
Not applicable
Level 1: Initial
Level 2: Managed
Level 3: Defined
Level 4: Quantitatively Managed
Level 5: Optimized
Description
Analyze identified vulnerabilities to determine their root causes.