Evaluation of the HAVOSS software process maturity model

The HAVOSS (Handling Vulnerabilities in OSS) maturity model describes important processes for managing security vulnerabilities in OSS modules in developed products. So far, the model has not been evaluated in any real assessment process. Here we present a study where the model was evaluated by using it in assessments of processes for two product types in one organization. Each assessment was conducted in a focus group meeting where their procedures were analyzed. The evaluation was conducted by posing specific questions about the model during the focus group meetings and by investigating how difficult it was to assess the maturity of practices from the transcribed text. It was found that some practices were easy to assess, while other could be analysed separately for different parts of the products. Further work can be conducted on how assessments can be conducted and how they can be combined with other software security initiatives.