Tuesday, September 27, 2011

BSIMM3 Released: "An Excellent Tool for Devising a Software Security Strategy"

"BSIMM3 can be used as a measuring stick for software security. As such, it is useful for comparing software security activities observed in a target firm to those activities observed among the thirty firms (or various subsets of the thirty firms). A direct comparison using the BSIMM is an excellent tool for devising a software security strategy." Gary McGraw, InformIT, 9-27-11

BSIMM3 Released: "An Excellent Tool for Devising a Software Security Strategy"

By Richard Power

As I have noted over and over throughout the years, software security is a vital aspect of any holistic approach to cyber security; and as I have written in recent years, the Building Security in Maturity Model (BSIMM) is a useful resource for those engaged in advancing the development and application of software security. Of course, BSIMM is not a set of standards, it is a set of activities identified as integral to the most successful software security initiatives in the world. That's its strength; and that strength grows with each new year of aggregated data.

The third edition of Building Security in Maturity Model (BSIMM3) is now available.

Here are some highlights of BSIMM3:
  • Now includes forty-two firms
  • One hundred nine activities in twelve practices with two or more real examples for each
  • Eleven firms have been measured twice (giving us Longitudinal Study data) and the data show measurable improvement
  • Eighty-one distinct measurements (some firms measured twice, some firms have multiple divisions measured separately)
  • Describes the work of 786 SSG members working with a satellite of 1750 people to secure the software developed by 185,316 developers
CyBlog caught up with Gary McGraw, CTO, Cigital, who drives the BSIMM, and asked for his perspective on this year's report.

"The two most important things we learned in the BSIMM3 work are: 1) that each of the 42 firms has an explicit software security group (SSG) and an SSG has on average 2 full time people for every 100 developers, and 2) we now know much more about how software security initiatives evolve and change over time."

"The BSIMM remains the only measuring stick for software security initiatives based on science. It is extremely useful for comparing the initiative of any given firm to a large group of similar firms. The BSIMM has been used by multiple firms to strategize and plan their software security initiatives and measure the results. Finally, FWIW, the government is woefully behind when it comes to software security."

Download BSIMM3.

Some Related Posts

Evolving Rapidly, BSIMM2 Offers Key Elements of Successful Software Security Initiatives Shared by 30 Major Corporations (2010)

CyLab Business Risks Forum: Gary McGraw on Online Games, Electronic Voting and Software Security (2009)

From Biometrics to BSIMM , & "50 Hurricanes Hitting At Once!" -- A Report on the Sixth Annual Partners Conference (2009)

Fortify & Cigital Release BSIMM -- Integrating Best Practices from Nine Software Security Initiatives (2009)