Brian Chess, Sammy Migues and I have been building a maturity model for software security. We decided to base our model on data gathered by interviewing 9 top software security programs. We developed a framework to guide a series of interviews for data acquisition.
Though we have not completed the maturity model (analysis continues apace), a number of surprises bubbled up from the data soup. We wrote them up in an article that we thought you might find interesting.
Though our approach is only “science-y” and may well be closer to anthropology than computer science, we do think it’s important to focus on what works in the real world. If you have any questions or comments about our study, we welcome contact.