BSIMM4 gets bigger, better

BSIMM keeps getting bigger and, says its founders -- much better.

The Building Security in Maturity Model, a set of best security practices developed by analyzing real-world data, is now in its fourth iteration. It includes real-world data from 51 firms with active software security initiatives, and creates a framework based on common areas of success.

That is up from a modest beginning of nine initiatives in 2009, when Gary McGraw, CTO of Cigital, launched BSIMM with Cigital colleague Sammy Migues, and Brian Chess of Fortify.

"BSIMM4 encompasses 10 times the measurement data of the original 2009 study [95 distinct measurements,]" said a press release from Cigital yesterday, announcing the latest BSIMM release.

BSIMM is designed to save software developers both headaches and money by building security into their products from the start, instead of trying to bolt it on later.

As McGraw has said in the past, BSIMM is not a set of instructions. "It is a descriptive model, not prescriptive. It doesn't tell you what you should do. It tells you what other people are already doing."

[See Bill Brenner post in Salted Hash on BSIMM4's launch]

That, he said, is why the vast increase in initiatives and data is so valuable. The variety of enterprises also adds to the diversity of what works in different industries.

The 51 firms are in "financial services (19), independent software vendors (19), technology firms (13), cloud (13), media (4), security (3), telecommunications (3), insurance (2), energy (2), retail (2) and healthcare (1)," Cigital says.

BSIMM breaks down what the various firms are doing into a list of 111 specific activities, about 30 of which are common to more than two thirds of the participants. "We're not saying you (developers) should do them all," McGraw said. "But it lets you see what has already worked."

McGraw told CSO Online that one of the most important elements of the new release is two new activities, which pushes the total from 109 to 111. They are "simulate software crisis" and "automate malicious code detection."

"We only add to the model if we see them in multiple places," McGraw said. "And the reaction of the BSIMM community has been 'Wow -- cool, those are great ideas.' So you can really see the power of the community."

Indeed, this is an otherwise unlikely community, since it features cooperation among enterprises that are frequently fierce competitors, but have common interests when it comes to security from attacks that could compromise proprietary information and the personal information of customers.

The current BSIMM model is broken into 12 categories software makers can follow. They include strategy and metrics; compliance and policy; training; attack models; security features and design; standards and requirements; architecture analysis; code review; security testing; penetration testing; software environment; and configuration and vulnerability management.

The BSIMM community has some of the largest enterprises in the nation, including Adobe, Bank of America, Capital One, EMC, F-Secure, Fannie Mae, Fidelity, Google, Intel, Intuit, JPMorgan Chase & Co., Microsoft, Nokia, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Scripps Networks, Sony Mobile, Symantec, Telecom, Vanguard, Visa and Wells Fargo.

McGraw said he believes the organization is poised to increase its membership rapidly now. "We've reached a critical mass," he said, "where companies are clamoring to get in."

Member benefits include a private mailing list and an annual conference, set for November this year, where representatives gather together in an off-the-record forum to discuss day-to-day administration of software security initiatives.

But an enterprise does not have to be a member to benefit -- the BSIMM4 study is free under a Creative Commons license

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts