Three of the world’s most passionate evangelists for secure application development have released Version 2 of their really excellent study–with a really bad acronym–of best secure software development practices of some of the world’s leading companies.
The Building Security in Maturity Model, or BSIMM (pronounced “bee-sim”) is based on data gathered in interviews by Gary McGraw and Samy Mingues of Cigital, and Brian Chess of Fortify Software of 30 companies across seven verticals, including Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Intel, Intuit, Microsoft, Nokia, QUALCOMM, Sallie Mae, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, VMware, and Wells
Fargo.
BSIMM’s first iteration, released in spring 2009, was based on interviews the trio conducted with nine companies. To learn more about that, you can check out the BSIMM interview I did with Brian Chess and Sammy Migues for SearchSecurity.com.
This year, they interviewed another 21 firms so that they could produce data that was not only interesting but statistically significant. They were gratified, if a bit surprised, that the patterns in the original data set held up nicely, and they only needed to tweak the software security framework (SSF) that gives structure to BSIMM. They are excited by the results and the caliber of the companies not only participating in the interviews but actively using BSIMM to measure their programs against other top companies. Even more perhaps, McGraw says, is that they are “building a community” of software security leadership.
“We got 22 of the firms together at RSA and broke off into a bunch of small group conversations,” he recalls. “After about two hours, the wine and beer ran out, but people stayed anyway until they kicked us out.”
That’s impressive to anyone familiar with the booze-fueled after-hours conversations at RSA.
BSIMM’s framework is built around four domains (governance, intelligence, secure software development lifecycle touchpoints and deployment), which are each divided into three practices. The data, however, reflects which companies are involved in the 109 activities that can comprise an organization’s software security program. The report breaks out the prevalence of each among the 30 companies and, in particular, the 15 that are important in at least 20 of the 30 companies.
The idea here is to measure your own company’s program against some of the best and the brightest across these different types of companies. It’s not that you have to focus on each and every one of them, but it is a great model for how to build up the secure software development program in your organization. The heart of that program, is the software security group–every one of the company’s have one. They are hardy little bands–an average of one security group member for every 100 developers in an organization, which might have 2,000-3,000 people in their sundry development centers.
More research will follow. Chess wants to figure out some way of measuring the effectiveness of these software security programs. And the trio hopes to develop even more granular data, so they can, for example, compare companies in the same vertical. They are also creating a managed mailing list and have established an advisory board.
And they plan annual get-togethers like the one at RSA. One hopes they’ll stock more beer and wine, but that doesn’t seem to matter, because, McGraw says,”people are very psyched.”