Friday, March 13, 2009

Fortify & Cigital Release BSIMM -- Integrating Best Practices from Nine Software Security Initiatives

By studying what the nine initiatives were doing, BSIMM's creators were able to build a best-practices model that's broken into 12 categories software makers can follow:
* 1. Strategy and metrics
* 2. Compliance and policy
* 3. Training
* 4. Attack models
* 5. Security features and design
* 6. Standards and requirements
* 7. Architecture analysis
* 8. Code review
* 9. Security testing
* 10. Penetration testing
* 11. Software environment
* 12. Configuration and vulnerability management
Bill Brenner, CSO Magazine, 3-10-09

Fortify & Cigital Release BSIMM -- Integrating Best Practices from Nine Software Security Initiatives

Software security is one of Carnegie Mellon CyLab's cross-cutting research thrusts, and an area of great focus here, so we are always on the lookout for meaningful work in the field to highlight on CyBlog (especially when it is undertaken by one of our corporate partners, in this case, Fortify).

Brian Chess, Co-Founder and Chief Scientist for Fortify, and Gary McGraw, Chief Technology Officer for Cigital, are in the news, promoting a set of best practices called the Building Security In Maturity Model (BSIMM).

The Wall Street Journal's Digits blog provides some background:

The authors developed the model by studying the security practices at Google, Microsoft, Adobe, and other tech companies, as well as non-tech companies that write their own software like Wells Fargo, and Depository Trust & Clearing Corp. ... When Chess and co-author Gary McGraw studied companies known for taking security seriously they found some practices in common, which became the basis for their model. For example, there’s never even been an accepted best practice for how large a security team should be, says McGraw. The new model recommends one dedicated security person for every 100 software developers a company keeps on staff. WSJ Digits, 3-4-09

BSIMM is a worthy contribution intended for IT leaders, and it is free.

To download it, click here.