PSMM

A Security Development Lifecycle (SDL) defines various activities required to build security into a product or application. The Product Security Maturity Model™ (PSMM) helps determine "how well" each of the SDL activities are being performed. The SDL provides breadth, while the PSMM provides depth.

The PSMM was first developed by Harold Toomey in 2014. Other contributors include Patrick McEnany, James Ransome, and Brook Schoenfield. The PSMM can be freely used to measure the depth or maturity of the security practices in your organization. Several organizations use it today, including:

McAfee LLC

McAfee LLC

 
Intel Security Intel Security Moving up the Product Security Maturity Model, June 12, 2015
Intel Corp. Intel Corp

Intel's Product Security Maturity Model (PSMM), October 2, 2015

Beyond ISO 27034 - Intel's Product Security Maturity Model (PSMM), October 8, 2015
Seagate Technology Seagate Monty, PSIRT and attendee at the CERT Vendors Meetings
Deloitte Seloitte LinkedIn Reference, 2016

 

2016: The Original 8-12 Model   Original PSMM with 8 operational and 12 technical SDL activities
PSMM Presentation 2016 PDF MS PowerPoint slides that discribe the PSMM at a high level
PSMM Document 2016   MS Word document that describes the PSMM and all levels of all activities in detail
PSMM Spreadsheet 2016   MS Excel spreadsheet used to collect data and automatically compute scores

 

PSMM Parameters 2016
Operational Technical Maturity Levels
  • O1 Program
  • O2 Resources
  • O3 SDL
  • O4 PSIRT
  • O5 Policy
  • O6 Process
  • O7 Training
  • O8 Reporting & Tracking Tools
  • T1 Security Requirements Plan [Waterfall] / Security Definition of Done (DoD) [Agile]
  • T2 Security Architecture & Design Reviews
  • T3 Threat Modeling
  • T4 Security Testing
  • T5 Static Analysis
  • T6 Dynamic Analysis
  • T7 Fuzz Testing
  • T8 Vulnerability Scans / Penetration Testing
  • T9 Manual Code Reviews
  • T10 Secure Coding Standards
  • T11 Open Source & 3rd Party COTS Libraries
  • T12 Privacy
  • 0 NA
  • 1 None
  • 2 Basic
  • 3 Initial
  • 4 Acceptable
  • 5 Mature
Scoring (8 + 12) × 5 = 100  

 

UNDER DEVELOPMENT

 

2018: The New 9-16 Model   Updated PSMM with 9 operational and 16 technical SDL activities
PSMM Presentation 2018 PDF MS PowerPoint slides that discribe the PSMM at a high level
PSMM Document 2018   MS Word document that describes the PSMM and all levels of all activities in detail
PSMM Spreadsheet 2018   MS Excel spreadsheet used to collect data and automatically compute scores

 

PSMM Parameters 2018
Operational Technical Maturity Levels
  • O1 Program
  • O2 SDL
  • O3 PSIRT
  • O4 People & Resources
  • O5 Tools & Services
  • O6 Policy, Compliance & Certifications
  • O7 Training
  • O8 Metrics
  • O9 Maturity Models
  • T1 Security Definition of Done (DoD)
  • T2 Security Architecture & Design Reviews
  • T3 Threat Modeling
  • T4 Privacy Review
  • T5 Secure Coding Standards
  • T6 Manual Code Review 
  • T7 Open Source & 3rd Party Libraries
  • T8 Vendor Management
  • T9 Static Analysis (SAST)
  • T10 Interactive Analysis (IAST)
  • T11 Dynamic Analysis (DAST)
  • T12 Fuzz Testing
  • T13 Vulnerability Scan 
  • T14 Penetration Testing
  • T15 Security Testing & Validation
  • T16 Operating Environment
  • NA
  • 0 None
  • 1 Minimal
  • 2 Good
  • 3 Better
  • 4 Best
Scoring (9 + 16) × 4 = 100  

Return Home

Last updated 21 October 2019