Applying Security by Design with the CMMI for Development

| by Ben Linders Follow 20 Followers on Nov 15, 2013. Estimated reading time: 1 minute |

A note to our readers: You asked so we have developed a set of features that allow you to reduce the noise: you can get email and web notifications for topics you are interested in. Learn more about our new features.

To enable development of secure products, processes covering the software development life cycle have to include security activities. “Security must be considered right from the beginning and the products have to be secure by design” said Winfried Russwurm from Siemens and Peter Panholzer from Limes Security. They facilitated a workshop at the SEPG Europe 2013 conference where they explored security activities and presented the Application Guide for Improving Processes for Secure Products.

Winfried and Peter asked the workshop attendants to come up with dedicated development activities that need to be done to enhance security and to create a more secure product. They categorized the ideas that the attendants brought up:


  • Arrange for security experts
  • Increase security awareness and develop a security culture
  • Provide security training
  • Develop and deploy security policies


  • Identify hackers as stakeholders
  • Do a security risk analysis
  • Define security requirements, e.g. with security user stories and scenarios


  • Focus on security risks in interface design
  • Architecture rules and guidelines for security
  • Identify and apply proven architectures for security


  • Apply coding standards for secure software
  • Use tooling to check code on security


  • Plan and do security testing
  • Use tools to automate security testing

Full Life Cycle

  • Perform security reviews and verifications
  • Identify risk sources and categories to do a risk assessment
  • Apply lessons learned from other companies and communities
  • Establish social media policies for dealing with security issues

Earlier this year the CMMI Institute published the Application Guide for Improving Processes for Secure Products.  This application guide contains additional process areas about security aspects of engineering,  managing security in projects, and organizational security topics. The guide can be used with the Capability Maturity Model Integration for Development (CMMI-DEV) to improve processes so that organizations using them can provide security assurance for their customer.

The CMMI Institute together with the authors of the guide would like to hear from organizations that have used the guide, and they welcome any feedback.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you