This summer I had the pleasure to participate as an author in the development of the fourth release of the Building Security in Maturity Model (BSIMM). The BSIMM4 project provides insight into fifty-one of the most successful software security initiatives in the world and describes how these initiatives evolve, change, and improve over time. In particular, the project tracks 111 activities accross twelve practices:
1. Strategy and metrics
2. Compliance and policy
4. Attack models
5. Security features and design
6. Standards and requirements
7. Architecture analysis
8. Code review
9. Security testing
10. Penetration testing
11. Software environment
12. Configuration and vulnerability management
The multi-year study is based on in-depth measurement of leading enterprises including Adobe, Aon, Bank of America, Box, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, F-Secure, Fannie Mae, Fidelity, Google, Intel, Intuit, JPMorgan Chase & Co., Mashery, McKesson, Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Scripps Networks, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Vanguard, Visa, VMware, Wells Fargo, and Zynga.
For me, the most interesting projects always involve data. Data are what help us model the environment in which we work and understand how the actors around us accomplish their goals. Data, even the simplest data, can illuminate problems in entirely new ways and that’s what BSIMM4 does. BSIMM is the single best mechanism for understanding how your organization builds secure software and for comparing your own activities to those of relevant peers. You can start today by downloading BSIMM4 and beginning to see where your firm stacks up!