Tuesday, September 25, 2012

BSIMM4 Released; If You Are Not Part of the Solution, Well Then ...



BSIMM4 Released; If You Are Not Part of the Solution, Well then ...

By Richard Power


My perspective on cyber security goes back to the mid-1990s, and well, yes, my view on its current state (and its likely future) is rather cynical. Why? I was among those who spent the 1990s warning of what was to come, and having those warnings discounted by those entranced by that mass of false memes known as "the conventional wisdom." For the next ten years, I watched the nascent trends I had detected become dominant themes in the field. And in recent years, since the retrospective I offered in 2006, it has become chillingly clear to me that neither sufficient political will nor sufficient corporate accountablility exist to address these problems in any meaningful way.

What I do have sustained confidence in, of course, is academic research, particularly that done here at CyLab, such work is one of our greatest hopes, and that is why I am so happy to a part of such a program.

The only other element of contemporary cyber security that I have sustained confidence in is the work of those few in business and government who have made the existential choice to see and respond to what actually is, and do so in some way that can make a real difference in and of itself.

That's why my CSO articles this year (see them listed on the sidebar) are all interviews with c-level security and privacy executives who are also thought leaders (surely, you have noticed that these two descriptors are not synonyms). It is also why I take the time, annually, to report to you on the release of the latest BSIMM.

Am I inferring that BSIMM is THE solution? Of course not. There is no ONE solution. But it is an exemplary effort to mitigate and to collective coalesce around mitigating efforts, and as such it is worthy of both your attention and possibly your involvement.

BSIMM4 encompasses ten times the measurement data of the original 2009 study (95 distinct measurements), it includes updated activity descriptions, and reports on two new activities (bringing the activity count going forward to 111); and (like BSIMM3), it also includes a longitudinal study. 

The project continues to grow is a steady and meaningful way.

The first release of BSIMM, in 2009, included data from nine organizations. By the next release, BSIMM2, in 2010, participation had tripled to thirty organizations.

In 2011, the number of organizations contributing data continued to grow, forty-five organizations were involved in BSIMM3.

This year's iteration, BSIMM4, is built on data from fifty-one firms; and these participants represent a range of twelve overlapping verticals including: financial services (19) independent software vendors (19), technology firms (13), cloud (13), media (4), security (3), telecommunications (3), insurance (2), energy (2), retail (2) and healthcare (1).

The list of organizations contributing data is impressive, e.g., Adobe, Aon, Bank of America, Box, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, F‐Secure, Fannie Mae,  Fidelity, Google, Intel, Intuit, JPMorgan Chase & Co., Mashery, McKesson, Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Scripps Network, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Vanguard, Visa, VMware, Wells Fargo and Zynga.

"A Huge Difference"

To provide some insight on this year's BSIMM release, I caught up with with its architect, Cigital CTO Gary McGraw, and asked him some questions.

What strikes you in this year's data? Or in the cumulative data so far? What stands out as surprising or deserving of added emphasis?

"The BSIMM continues to grow and evolve as we gather more data. We now have 10 times as many measurements as we started with in 2009. Basically, the data show that if you are not doing software security today you are rapidly falling behind. As an example of what this means, consider that two brand new activities were identified in the BSIMM4 model. The field is growing and progressing."

How would you characterize the impact of BSIMM so far? How would you gauge it? What difference is it making? What difference could it potentially make?

"The BSIMM is making a huge difference in software security as practiced in the commercial marketplace. With 51 firms actively participating, the BSIMM has become a large community of like minded professionals. The power of the community is evident during the (private) conferences that we hold once a year. The professionals who run software security initiatives are eager to share what they know and learn from each other."

Download BSIMM4. Review it with your team, bring it to your Board of Directors. Participant in the next iteration. Become part of the solution, or at least an example of what one dimension of the solution would look like.

For more information and to access the BSIMM4 study, which is distributed free of charge under a Creative Commons license, please visit: http://bsimm.com/

Related Posts

BSIMM3 Released: "An Excellent Tool for Devising a Software Security Strategy"

Evolving Rapidly, BSIMM2 Offers Key Elements of Successful Software Security Initiatives Shared by 30 Major Corporations

From Biometrics to BSIMM , & "50 Hurricanes Hitting At Once!" -- A Report on the Sixth Annual Partners Conference

CyLab Business Risks Forum: Gary McGraw on Online Games, Electronic Voting and Software Security

Fortify & Cigital Release BSIMM -- Integrating Best Practices from Nine Software Security Initiatives