BSIMM4 gets bigger, better

BSIMM keeps getting bigger and, says its founders — much better.

The Building Security in Maturity Model, a set of best security practices developed by analyzing real-world data, is now in its fourth iteration. It includes real-world data from 51 firms with active software security initiatives, and creates a framework based on common areas of success.

That is up from a modest beginning of nine initiatives in 2009, when Gary McGraw, CTO of Cigital, launched BSIMM with Cigital colleague Sammy Migues, and Brian Chess of Fortify.

“BSIMM4 encompasses 10 times the measurement data of the original 2009 study [95 distinct measurements,]” said a press release from Cigital yesterday, announcing the latest BSIMM release.

BSIMM is designed to save software developers both headaches and money by building security into their products from the start, instead of trying to bolt it on later.

As McGraw has said in the past, BSIMM is not a set of instructions. “It is a descriptive model, not prescriptive. It doesn’t tell you what you should do. It tells you what other people are already doing.”

[See Bill Brenner’s post in Salted Hash on BSIMM4’s launch]

That, he said, is why the vast increase in initiatives and data is so valuable. The variety of enterprises also adds to the diversity of what works in different industries.

The 51 firms are in “financial services (19), independent software vendors (19), technology firms (13), cloud (13), media (4), security (3), telecommunications (3), insurance (2), energy (2), retail (2) and healthcare (1),” Cigital says.

BSIMM breaks down what the various firms are doing into a list of 111 specific activities, about 30 of which are common to more than two thirds of the participants. “We’re not saying you (developers) should do them all,” McGraw said. “But it lets you see what has already worked.”

McGraw told CSO Online that one of the most important elements of the new release is two new activities, which pushes the total from 109 to 111. They are “simulate software crisis” and “automate malicious code detection.”

“We only add to the model if we see them in multiple places,” McGraw said. “And the reaction of the BSIMM community has been ‘Wow — cool, those are great ideas.’ So you can really see the power of the community.”

Indeed, this is an otherwise unlikely community, since it features cooperation among enterprises that are frequently fierce competitors, but have common interests when it comes to security from attacks that could compromise proprietary information and the personal information of customers.

The current BSIMM model is broken into 12 categories software makers can follow. They include strategy and metrics; compliance and policy; training; attack models; security features and design; standards and requirements; architecture analysis; code review; security testing; penetration testing; software environment; and configuration and vulnerability management.

The BSIMM community has some of the largest enterprises in the nation, including Adobe, Bank of America, Capital One, EMC, F-Secure, Fannie Mae, Fidelity, Google, Intel, Intuit, JPMorgan Chase & Co., Microsoft, Nokia, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Scripps Networks, Sony Mobile, Symantec, Telecom, Vanguard, Visa and Wells Fargo.

McGraw said he believes the organization is poised to increase its membership rapidly now. “We’ve reached a critical mass,” he said, “where companies are clamoring to get in.”

Member benefits include a private mailing list and an annual conference, set for November this year, where representatives gather together in an off-the-record forum to discuss day-to-day administration of software security initiatives.

But an enterprise does not have to be a member to benefit — the BSIMM4 study is free under a Creative Commons license