BSIMM2 Details Success of 30 Leading Organizations in 7 Vertical Markets; New Advisory Board Formed to Include Software Security Luminaries.
DULLES, Va. -- Cigital, the largest consulting firm specializing in software security, announced an updated release of the "Building Security In Maturity Model" (BSIMM) study, which significantly expands the data defining benchmarks for successfully developing and growing an enterprise-wide software security initiative.
Launched in March 2009, BSIMM is the industry's first and only structured set of best practices for software security based on real-world data rather than philosophy and theory. The latest release, BSIMM2, triples the size of the original study from nine organizations to 30, across a range of seven overlapping verticals including: financial services (12), independent software vendors (7), technology firms (7), healthcare (2), insurance (2), energy (2) and media (2). BSIMM2 now reports the collective expertise of 635 people in firms with 130 years of collective experience.
Based on in-depth interviews with leading enterprises such as Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Intel, Intuit, Microsoft, Nokia, QUALCOMM, Sallie Mae, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, VMware, and Wells Fargo, among others, the BSIMM2 study provides insight into 30 of the most successful software security initiatives in the world, listing daily best practices used by these organizations to build security into their software and mitigate the business risk associated with broken software.
"We are thrilled that the BSIMM study has tripled in size this past year and that the model has been widely adopted as a de facto standard across so many leading organizations," said Dr. Gary McGraw, CTO of Cigital and author of Software Security. "Securing the software that runs the modern world is a clear number one priority when you consider today's threat landscape. From cybercrime to cyber war, insecure software is a major problem. BSIMM is a powerful measuring stick used by leading firms to protect their most critical information asset--software."
"Organizations are waking up to the fact that they absolutely need to ensure the security of the software that powers their business," said Dr. Brian Chess, co-founder and Chief Scientist of Fortify Software, and co-author of BSIMM2. "BSIMM is meant to be used by anyone charged with creating and executing a software security initiative, giving them a tool for measuring their software security assurance program against some of the most forward-thinking organizations out there."
Using the software security framework, Chess, McGraw and Cigital co-author Sammy Migues conducted a series of in-depth fact-finding interviews with executives in charge of the 30 software security initiatives. Data were collected on each initiative's software security activities for strategy and metrics, training, standards and requirements, security testing, code review, penetration testing, etc., and a number of common themes among each of the successful initiatives have been uncovered, including:
* The necessity of a Software Security Group (SSG): SSG size on average is 21.9 people (smallest 0.5, largest 100, median 13). The average number of developers among organizations was 5061 people (smallest 40, largest 30,000, median 3000). The numbers yield an average percentage of SSG to development of just over 1 percent, or 1 SSG member for every 100 developers.
* Commonalities among SSG structure: At the highest level of organization, SSGs come in three major flavors: those organized according to technical SDLC duties, those organized by operational duties, and those organized according to internal business units.
* Tested practices: The BSIMM clearly describes 109 activities that every organization can put into practice today.
* A software security satellite: In addition to the SSG, many software security programs have identified a number of individuals (often developers, testers, and architects) who share common software security tasks, but are not directly employed in the SSG. On average, satellite size is 39.7 people (smallest 0, largest 300, median 11). Of particular interest, nine of the 10 firms with the highest BSIMM scores have an active satellite, and only eight of the remaining 20 firms outside of the top 10 do. This suggests that the more mature a software security initiative is, the more distributed its activities are.
In conjunction with the release of BSIMM2 is the announcement of a newly created BSIMM Advisory Board helping to shepherd the emerging community and the work going forward. The Board plans to hold the first BSIMM practitioner conference this fall in Washington, D.C. Board members include:
* Steve Lipner, Senior Director of Security Engineering Strategy, Microsoft
* Eric Baize, Senior Director, Product Security Office, EMC Corporation
* Jeff Cohen, Head of Product Security Assurance, Intel
* Janne Uusilehto, Director, Head of Product Security, Nokia
* Brad Arkin, Director of Product Security and Privacy, Adobe
For more information and to access the BSIMM2 study, please visit: http://bsimm2.com/
About Cigital
Cigital, Inc. is the leading software security and quality consulting firm in the world. Established in 1992, Cigital plans and implements initiatives that help organizations ensure their applications are secure and reliable while also improving the way they build and deploy software. Our recognized experts apply a combination of proven methodologies, tools, and best practices to meet each client's unique requirements. Cigital is headquartered outside Washington, D.C. with regional offices in the U.S., Europe, and India. For more information visit http://www.cigital.com.
What the BSIMM community is saying
"The BSIMM is a great vehicle for helping software developers assess, develop and grow their software security practices by defining benchmarks across geographies and industries. As one of the original nine BSIMM participants, Adobe is excited to continue guiding the growth of the BSIMM as a member of the advisory board."
Brad Arkin
Director of Product Security and Privacy
Adobe
"Building a great Software Security Program is an ongoing process, and involves many complex challenges, both technical and organizational. I look forward to Google's continued participation in the BSIMM Study, and working with a community of like-minded Software Security professionals to share experiences and lessons learned."
Matt Moore
Product Security
Google
"The BSIMM provided us with a useful metric to assess our product security assurance initiative. It helped to validate our current approach and provided some valuable suggestions for further improvement."
Jeffrey Cohen
Head of Product Security Assurance
Intel
"BSIMM provides valuable information the software development industry can use, and we look forward to helping define future research results. It's encouraging to see that other organizations also benefit from practices that are elements of our Security Development Lifecycle and we expect to see additional specific benefits from the next phase of BSIMM research."
Steve Lipner
Senior Director, Security Engineering Strategy, Trustworthy Computing Group
Microsoft
"BSIMM has given us direction where to invest resources in our application security programme to get the best return. The process has been very valuable."
Tom Lawton
Head of Information Security, Markets Division
Thomson Reuters
"The BSIMM model has been instrumental as an influence for me in designing and implementing software security programs that achieve maturity."
Jim Routh
Former CISO
Financial Services
"The BSIMM effort has broken new ground in software security by providing real-world data on corporate software assurance activities in practice today. SAFECode believes BSIMM provides an excellent foundation for future work to both measure and advance the effectiveness of software security efforts and we are looking forward to taking a closer look at the new data provided."
Paul Kurtz
Executive Director
Software Assurance Forum for Excellence in Code (SAFECode)
For more quotes about the BSIMM, see http://bsimm2.com/press/#praise
Labels:
Miscellaneous