Secure coding news flash: BSIMM3 coming in August

When it comes to software, security may still not be as sexy as features and functions, but it is now officially essential.

For proof, look at the explosive growth of BSIMM — the Building Security In Maturity Model — a burgeoning compilation of real-world data and analysis designed to help software developers build security into their products from the start, instead of trying to bolt it on later.

It was less than two years ago, in September 2009, when three leaders from the security firms Cigital and Fortify went public with BSIMM, a set of best practices culled from studying nine software security initiatives.

Also see: Code security: A survival guide

Less than a year later, in April 2010, BSIMM2 had tripled its reach, with data from studying 30 initiatives, including some of the biggest in finance, software and information technology. They include Bank of America, Microsoft, Google, Adobe, Symantec, Intel and Intuit.

And in August, they will roll out BSIMM3, which will include data from 60 initiatives, according to Gary McGraw, CTO of Cigital, who launched BSIMM with Cigital colleague Sammy Migues and Brian Chess of Fortify.

BSIMM is not a set of instructions. “It is a descriptive model, not prescriptive,” McGraw says. “It doesn’t tell you what you should do. It tells you what other people are already doing.”

BSIMM breaks down what those other firms are doing into a list of 109 specific activities, about 30 of which are common to more than two thirds of the participants.

“We’re not saying you (another developer) should do them all,” McGraw says, “but it lets you see what has already worked.”

Also see: Software security basics for application development managers

BSIMM3 will also let them see how initiatives have evolved. One of its new features, McGraw says, is the result of his group going back and re-measuring 12 of the original initiatives, to see what changes and improvements have made over time.

Best of all, it is free. BSIMM has been released under a creative commons license, which lets developers take what they think is useful and create their own model. They are just asked to give credit for the material used to BSIMM.

McGraw admits it is gratifying to see software security getting the respect it deserves. A year ago, he kidded about how when he started, 15 years earlier, when he couldn’t even sell the concept to his mother, but is now in demand from the world’s biggest software firms.

“In the beginning, it was all advocacy and evangelism,” he says, noting that security was more of an afterthought, since all the focus was on features and functions. Security, he says, was thought of as “sprinkling fairy dust” on a product.

Also see: Code Security: MidAmerican Energy’s top priority after SQL injection attacks

“But security is not a thing, it is a property (of software),” he says.

He is also excited that it has created a community among firms, some of which are fierce competitors, but have common interests when it comes to security from attacks that could compromise proprietary information and the personal information of customers.

“They’re talking directly to each other and learning from each other,” he says.