Consulting firm Cigital has released the fifth version of its highly-regarded Building Security In Maturity Model (BSIMM), a sort of methodological software security toolkit created by analysing the real-world behaviour of some of the world’s best-known firms.
Backed by collaborator HP and Cigital’s CTO and resident security authority Dr Gary McGraw, BSIMM-V features a greatly expanded data set compared to 2012’s edition that describes the security outlook of 67 organisations.
The core of the methodology is to analyse activities or processes, which now total 112. Firms on the list read like a who’s who of US blue chips with a smattering of European names. Normally we’d edit the list but on this occasion it is worth cutting and pasting the full list.
From North America: Adobe, Aetna, Bank of America, Box, Capital One, Comerica Bank, EMC, Epsilon, F-Secure, Fannie Mae, Fidelity, Goldman Sachs, HSBC, Intel, Intuit, JPMorgan Chase & Co., Lender Processing Services Inc., Mashery, McAfee, McKesson, Microsoft, NetSuite, PayPal, Pearson Learning Technologies, QUALCOMM, Rackspace, Salesforce, Sallie Mae, Standard Life, SWIFT, Symantec, Vanguard, Visa, VMware, Wells Fargo, and Zynga.
From Europe and beyond: Marks and Spencer, Neustar, Nokia, Nokia Siemens Networks, SAP, Sony Mobile, Telecom Italia, Thomson Reuters, TomTom.
It’s an unusual approach that claims that by using a real-world data set it can distil best security based on more than “unproven theories and hunches.” It is also based on the informed estimation that the security woes of the world are largely if not entirely down to weaknesses in software.
“The BSIMM Project started as a simple data driven science project and has evolved into the world’s premiere measurement tool for software security,” said Dr Gary McGraw, author of industry textbook, Software Security.
“With BSIMM-V, we have significantly expanded the data set again and are now confident that we can measure any firm worldwide with the same measuring stick. If you wonder how your firm’s software security practices stack up, we can tell you,” he said.
The revised version represented the outlook of 975 software security professionals securing the software built by an astonishingly precise 272,358 developers.
The ultimate goal of BSIMM was to give security professionals working inside similar enterprises a sort of yardstick with which to measure their security outlook..
“Back in the old days it wasn't clear what to do; now it is abundantly clear what to do,” said McGraw. “Security problems have at their heart broken software. The question when it comes to security engineering is how much we spend.”
Since its inception in 2008, BSIMM had offered a way to plot the progress of long-term security initiatives over time, something enterprises had struggled to do until then. With each expansion its power was being enhanced.
"The BSIMM is an instrumental tool to determine the maturity and effectiveness of an organization's software security activities and we use it to measure the progress in improving software security year over year," commented Aetna CISO and BSIMM board member, Jim Routh.
BSIMM-V is distributed free of charge under a Creative Commons license.