BSIMM4 launches today

The BSIMM4 project offers insight into 51 of the most successful software security initiatives in the world and describes how these initiatives evolve, change, and improve over time.

My old friend Gary McGraw of Cigital just dropped me a line to say BSIMM4 is out.

A primer for the unfamiliar: BSIMM is a set of best practices Cigital and Fortify developed by analyzing real-world data from nine leading software security initiatives and creating a framework based on common areas of success. By studying what the nine initiatives were doing, BSIMM's creators were able to build a best-practices model that's broken into 12 categories software makers can follow:

1. Strategy and metrics

2. Compliance and policy

3. Training

4. Attack models

5. Security features and design

6. Standards and requirements

7. Architecture analysis

8. Code review

9. Security testing

10. Penetration testing

11. Software environment

12. Configuration and vulnerability management

Delving deeper, the BSIMM model recommends such things as employing one dedicated security practitioner for every 100 software developers on a staff.

The study focuses on the activities of such companies as Adobe, Aon, Bank of America, Box, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, F-Secure, Fannie Mae, Fidelity, Google, Intel, Intuit, JPMorgan Chase & Co., Mashery, McKesson, Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Scripps Networks, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Vanguard, Visa, VMware, Wells Fargo, and Zynga.

McGraw says BSIMM4:

--Includes 51 firms from 12 industry verticals

--Has grown 20 percent since BSIMM3 and is ten times bigger than the original 2009 edition

--Has 95 distinct measurements (some firms measured multiple times, some firms with multiple divisions measured separately and rolled into one firm score)

--Continues to show that leading firms on average employ two full time software security specialists for every 100 developers

"In addition to revising the 111 activities according to the data, we also identify and describe two brand new activities," McGraw says. They are: simulate software crisis, and automated malicious code detection.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)