BSIMM3 launches today

Version 3 of the Building Security In Maturity Model comes out today. Cigital CTO Gary McGraw got on the phone with me yesterday to talk about what’s in the latest version of the standard he helped create.

First, a primer for the unfamiliar: BSIMM is a set of best practices Cigital and Fortify developed by analyzing real-world data from nine leading software security initiatives and creating a framework based on common areas of success.

By studying what the nine initiatives were doing, BSIMM’s creators were able to build a best-practices model that’s broken into 12 categories software makers can follow:

1. Strategy and metrics

2. Compliance and policy

3. Training

4. Attack models

5. Security features and design

6. Standards and requirements

7. Architecture analysis

8. Code review

9. Security testing

10. Penetration testing

11. Software environment

12. Configuration and vulnerability management

Delving deeper, the BSIMM model recommends such things as employing one dedicated security practitioner for every 100 software developers on a staff.

McGraw said some highlights for the third major release of the BSIMM include the following:

* BSIMM3 now includes 42 firms.

* BSIMM3 describes 109 activities in 12 practices with 2 or more real examples for each activity.

* 11 firms have been measured twice (giving us Longitudinal Study data) and the data shows measurable improvement.

* The BSIMM3 data set has 81 distinct measurements (some firms measured twice, some firms have multiple divisions measured separately).

* BSIMM3 describes the work of 786 SSG members working with a satellite of 1750 people to secure the software developed by 185,316 developers.

“The BSIMM remains the only measuring stick for software security initiatives based on science,” McGraw said. “It is extremely useful for comparing the initiative of any given firm to a large group of similar firms. The BSIMM has been used by multiple firms to strategize and plan their software security initiatives and measure the results.”

The concept of working security into the software-writing process from the start has evolved considerably in the last seven or so years.

For one thing, BSIMM is just one of several initiatives out there. There is also OWASP and Microsoft’s Security Development Lifecycle. There’s the Software Assurance Forum for Excellence in Code (SAFECode). And there’s RUGGED.

McGraw said one of the goals behind BSIMM is to tie the common elements of the varying standards together. The BSIMM website elaborates further on this:

“As an organizing feature, we introduce and use a Software Security Framework (SSF) which provides a conceptual scaffolding for BSIMM. Properly used, BSIMM can help you determine where your organization stands with respect to real-world software security initiatives and what steps can be taken to make your approach more effective.”

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!