BSIMM3 launches today
Version 3 of the Building Security In Maturity Model comes out today. Cigital CTO Gary McGraw got on the phone with me yesterday to talk about what's in the latest version of the standard he helped create.
First, a primer for the unfamiliar: BSIMM is a set of best practices Cigital and Fortify developed by analyzing real-world data from nine leading software security initiatives and creating a framework based on common areas of success.
By studying what the nine initiatives were doing, BSIMM's creators were able to build a best-practices model that's broken into 12 categories software makers can follow:
1. Strategy and metrics
2. Compliance and policy
3. Training
4. Attack models
5. Security features and design
6. Standards and requirements
7. Architecture analysis
8. Code review
9. Security testing
10. Penetration testing
11. Software environment
12. Configuration and vulnerability management
Delving deeper, the BSIMM model recommends such things as employing one dedicated security practitioner for every 100 software developers on a staff.
McGraw said some highlights for the third major release of the BSIMM include the following:
* BSIMM3 now includes 42 firms.
* BSIMM3 describes 109 activities in 12 practices with 2 or more real examples for each activity.
* 11 firms have been measured twice (giving us Longitudinal Study data) and the data shows measurable improvement.
* The BSIMM3 data set has 81 distinct measurements (some firms measured twice, some firms have multiple divisions measured separately).
* BSIMM3 describes the work of 786 SSG members working with a satellite of 1750 people to secure the software developed by 185,316 developers.
"The BSIMM remains the only measuring stick for software security initiatives based on science," McGraw said. "It is extremely useful for comparing the initiative of any given firm to a large group of similar firms. The BSIMM has been used by multiple firms to strategize and plan their software security initiatives and measure the results."
The concept of working security into the software-writing process from the start has evolved considerably in the last seven or so years.
For one thing, BSIMM is just one of several initiatives out there. There is also OWASP and Microsoft's Security Development Lifecycle. There's the Software Assurance Forum for Excellence in Code (SAFECode). And there's RUGGED.
McGraw said one of the goals behind BSIMM is to tie the common elements of the varying standards together. The BSIMM website elaborates further on this:
"As an organizing feature, we introduce and use a Software Security Framework (SSF) which provides a conceptual scaffolding for BSIMM. Properly used, BSIMM can help you determine where your organization stands with respect to real-world software security initiatives and what steps can be taken to make your approach more effective."
--Bill Brenner
Print
First, a primer for the unfamiliar: BSIMM is a set of best practices Cigital and Fortify developed by analyzing real-world data from nine leading software security initiatives and creating a framework based on common areas of success.
By studying what the nine initiatives were doing, BSIMM's creators were able to build a best-practices model that's broken into 12 categories software makers can follow:
1. Strategy and metrics
2. Compliance and policy
3. Training
4. Attack models
5. Security features and design
6. Standards and requirements
7. Architecture analysis
8. Code review
9. Security testing
10. Penetration testing
11. Software environment
12. Configuration and vulnerability management
Delving deeper, the BSIMM model recommends such things as employing one dedicated security practitioner for every 100 software developers on a staff.
McGraw said some highlights for the third major release of the BSIMM include the following:
* BSIMM3 now includes 42 firms.
* BSIMM3 describes 109 activities in 12 practices with 2 or more real examples for each activity.
* 11 firms have been measured twice (giving us Longitudinal Study data) and the data shows measurable improvement.
* The BSIMM3 data set has 81 distinct measurements (some firms measured twice, some firms have multiple divisions measured separately).
* BSIMM3 describes the work of 786 SSG members working with a satellite of 1750 people to secure the software developed by 185,316 developers.
"The BSIMM remains the only measuring stick for software security initiatives based on science," McGraw said. "It is extremely useful for comparing the initiative of any given firm to a large group of similar firms. The BSIMM has been used by multiple firms to strategize and plan their software security initiatives and measure the results."
The concept of working security into the software-writing process from the start has evolved considerably in the last seven or so years.
For one thing, BSIMM is just one of several initiatives out there. There is also OWASP and Microsoft's Security Development Lifecycle. There's the Software Assurance Forum for Excellence in Code (SAFECode). And there's RUGGED.
McGraw said one of the goals behind BSIMM is to tie the common elements of the varying standards together. The BSIMM website elaborates further on this:
"As an organizing feature, we introduce and use a Software Security Framework (SSF) which provides a conceptual scaffolding for BSIMM. Properly used, BSIMM can help you determine where your organization stands with respect to real-world software security initiatives and what steps can be taken to make your approach more effective."
--Bill Brenner
CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
Get your morning news fix with the daily Salted Hash e-newsletter! Sign up today.
Previous Post: Facebook chain letter posts: Not just stupid, but riskyNext Post: A word or two about #DerbyCon
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
WHITE PAPER
Reduce Email Archives up to 60%
Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.
WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)
The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.
Recent Comments
Webcasts
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection
White Papers
