BSIMM6 Brings Science to Software Security

Similar documents
112 BSIMM Activities at a Glance

Vulnerabilities from the outside. Common Vulnerabilities and Exposures (CVEs) Building Security In with BSIMM

Development Processes (Lecture outline)

Scaling a Software Security Initiative: Lessons from the BSIMM

10 TIPS FOR SUCCESSFUL

BUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations

Software Security Touchpoint: Architectural Risk Analysis

More information >>> HERE <<<

scoring PREDICTIVE SCORING VENDORS

Secure Development LifeCycles (SDLC)

TOP 10 TRENDS FOR 2016 BUSINESS INTELLIGENCE

Cloud Computing: It s In Your Future. What You Need to Know about Logicalis and Cloud Computing

The Digital Camera: A Tool for Creative Teaching. tyc.naeyc.org. Bonnie Blagojevic and Anne Sprague

TABLE OF CONTENTS 1 Chapter 1: Introduction 2 Chapter 2: Big Data Technology & Business Case 3 Chapter 3: Key Investment Sectors for Big Data

Mind Commerce. Commerce Publishing v3122/ Publisher Sample

Global Healthcare Cloud Computing Market

Partnering Excellence

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

Beyond ISO Intel's Product Security Maturity Model (PSMM)

INTERVIEW: SOFTWARE SECURITY IN THE REAL WORLD

Show your value, grow your business:

BEST PRACTICES: CREATING AN INNOVATIVE EDUCATIONAL EXPERIENCE

The Shadow IT Phenomenon

getting there Models for Self- Directed Support broker support Getting There Discussion paper

Big Data Services Market in Western Europe

A framework for creating custom rules for static analysis tools

Building Private Cloud on

EBOOK. TIPS For SUCCESSFUL Marketing Campaigns

TechTarget 2009 Media Consumption Benchmark Report 2:

Program Review of Occupational Education/Discipline Review Template

UX Professionals Salary Survey

Masters. in Digital Marketing.

The Logicalis Data Center Practice We help you bridge the gap between the data center you have today and the data center strategy you will need

Cybersecurity report As technology evolves, new risks drive innovation in cybersecurity

Research Investments in Large Indian Software Companies

upport uy in ccountable ndependent epresentative impact ower and influence Measuring the impact and success of your youth voice vehicle

INTERNATIONAL GRADUATE SCHOOL OF BUSINESS MBA IS AN MBA RIGHT FOR YOU?

Attack Trends software security? Gary McGraw, Ph.D. Chief Technology Officer, Cigital Cigital

WEBTRENDS + SITRION SOCIAL ENTERPRISE SOLUTION

Professional Diploma in Mobile gmarketing

Private Cloud Market in India

Virtual Classroom Designer Competency Resources

How To Understand The Business Case For Big Data

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

NSW Public Service Commissioner NSW Health Good Health Great Jobs Stepping Up Forum 2015

Logicalis Data and Storage Practice

Office of Communications for Enrollment Management

Beyond Succession Planning The Explosive Rush to Talent Readiness

Improving Visibility into your Vulnerability Management Program

EVOLVING PERFORMANCE MANAGEMENT BECAUSE THE WORK YOU DO MATTERS.

With Chase Commercial Online, you can quickly and easily view statements, check images and deposit slip images online. 1

Threat Intelligence is Like Three Day Potty Training

Doctorate in Business

Practical Applications of Software Security Model Chris Nagel

Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration

Data Center Solutions

White Paper. Before we begin a few definitions. Executive Overview Converged Infrastructure Enables Advanced IT

Optimizing Enrollment Management with Predictive Modeling

Post Graduation Survey Results 2015 College of Engineering Information Networking Institute INFORMATION NETWORKING Master of Science

Cyber Security: Software Risk Management for Utilities

THE SECRET OF ONLINE SUCCESS: WHY STRUCTURE MATTERS

UP L04 Introduction to 3 rd Party Patching Using the 4A Model Hands-On Lab

Five Core Principles of Successful Business Architecture. STA Group, LLC Revised: May 2013

Excel Dashboard Diploma

Supply Chain Talent: A Broken Link in the Supply Chain

Realist 2.0 MLS Support (512) Monday thru Friday 9:00 am 5:00 pm

APQC CORPORATE EDUCATION CATALOG

Secure Data Transfer

Why Computer Science? Robert H. Sloan University of Illinois at Chicago

The Metamorphosis of Communications Competition

Transcription:

BSIMM Building Security In Maturity Model 6 BSIMM6 Brings Science to Software Security The sixth iteration of the Building Security In Maturity Model project is a tool you can use as a measuring stick for software security initiatives. By now, you should have heard about the Building Security In Maturity Model (BSIMM) project, especially if you are a software security person. (No? A good place to start is by taking this software security quiz.) Maybe you ve even downloaded a copy of your own to peruse (it s free under the Creative Commons license). Either way, it s time to get a new copy, because BSIMM6 has just been released. Remember, because BSIMM is completely data driven, the BSIMM6 document is different than what you may have read in the past. That s how science goes. In this short piece, we re going to focus on BSIMM6 facts and figures. The numbers are about real software security nitiatives doing real work to secure the software that you use every day. This is no ephemeral top ten list from the bug parade. This is a set of facts about the real state of commercial software security on planet Earth. Who is the BSIMM community anyway? The BSIMM project is spearheaded by three co-authors (the same three who wrote this piece you re reading now). We are directly involved in gathering data in person from each of the BSIMM firms. The data we gather directly through observation describes the work of 78 software security initiatives, from firms including: Adobe, Aetna, ANDA, Autodesk, Bank of America, Black Knight Financial Services, BMO Financial Group, Box, Capital One, Cisco, Citigroup, Comerica, Cryptography Research, Depository Trust and Clearing Corporation, Elavon, EMC, Epsilon, Experian, Fannie Mae, Fidelity, F-Secure, HP Fortify, HSBC, Intel Security, JPMorgan Chase & Co., Lenovo, LinkedIn, Marks & Spencer, McKesson, NetApp, NetSuite, Neustar, Nokia, NVIDIA, PayPal, Pearson Learning Technologies, Qualcomm, Rackspace, Salesforce, Siemens, Sony Mobile, Symantec, The Advisory Board, The Home Depot, TomTom, Trainline, U.S. Bank, Vanguard, Visa, VMware, Wells Fargo, and Zephyr Health. By the way, we added a data freshness constraint to the model with BSIMM6. We now exclude measurements older than 42 months to better align with business cycles. This requirement caused 21 firms to be removed when we created BSIMM6. What is the BSIMM? The BSIMM is a measuring stick for software security. The best way to use the BSIMM is to compare and contrast your own initiative with the data contained in the model, which show what other organizations are doing. You can then identify goals and objectives of your own and look to the BSIMM to determine which further activities make sense for you. The BSIMM is not a software security methodology. To make this clear, consider that the BSIMM can be used to measure Microsoft s SDL, but it is by no means a replacement for the Microsoft SDL. BSIMM6 Brings Science to Software Security 1

BSIMM by the Numbers Table 1 shows how the BSIMM Project has grown over the years. Remember, software security initiatives are ongoing and not a fire-and-forget exercise. Table 1 As you can see, at this stage of the game, the BSIMM describes the work of 1,084 full-time software security professionals who are attempting to help 287,006 developers build more secure software. They have help from the satellite, which is made up of developers, architects, and people in the organization directly engaged in and promoting software security, but not as full-time software security group (SSG) members. Ever wonder how big your firm s SSG should be? We wonder also, but we do know how big the SSGs are at 78 firms. If we average all the ratios of SSG size to Development size, we get an SSG average of averages of 1.51% (median 0.7%). Table 2 on the following page contains some additional interesting data. Table 2 BSIMM6 Brings Science to Software Security 2

Table 3 below shows just how many firms make use of each of the 112 activities in the BSIMM. Each activity has a label (like SM1.1) and is described in detail in the BSIMM6 report. See, it turns out we do know how to do software security! We even know who is doing what. Now what we need to do is spread adoption of software security to all firms creating software. You can help. Table 3 How does your firm compare? Here s what happens when you measure a new firm using the BSIMM measuring stick. You can directly compare how your software security initiative stacks up against the other 78 firms in BSIMM6. Is your firm a financial services institution? Well, we can compare you to 33 other financial services firms. Are you an ISV? We can compare you directly to 27 other ISVs. BSIMM6 also marks the introduction of the healthcare industry with the inclusion of 10 firms. Measurement is a powerful tool that drives both budgets and improvement. Nobody wants to be the slowest zebra in the zebra pack. Is your firm the slowest zebra? You can get your own scorecard like the one in Table 4 and do some analysis to find out. BSIMM6 Brings Science to Software Security 3

Table 4 We also create a spider diagram (Figure 1) as a way of visualizing a comparison based on 12 practices. The 112 activities in the model fit directly into the 12 practices. Our spider-graph-yielding high-water mark approach (based on three levels per practice) is sufficient to get a lowresolution feel for maturity, especially when working with data from a particular vertical or geography. BSIMM6 Brings Science to Software Security 4

Figure 1 One meaningful comparison is to chart your own firm s maturity high-water mark against the averages we have published to see how your initiative compares. The BSIMM community The 78 firms participating in BSIMM6 make up the BSIMM community. A moderated private mailing list with over 250 members allows SSG leaders participating in the BSIMM to discuss solutions with others who face the same issues, discuss strategy with someone who has already addressed an issue, seek out mentors from those further along a career path, and band together to solve hard problems. The BSIMM community also hosts annual private conferences in the United States and Europe where representatives from each firm gather together in an off-the-record forum to discuss software security initiatives. Become part of the community today and take advantage of these unique resources. The BSIMM website includes a credentialed BSIMM community section where information from the conferences, working groups, and mailing-list-initiated studies are posted. Would you like your firm to be included in the BSIMM community? Give us a shout. BSIMM6 is the latest snapshot of a growing and evolving set of real data about software security. The more data we have, the better off we all are. It s science time. Authors Sammy Migues Gary McGraw, Ph.D. Jacob West BSIMM Building Security In Maturity Model 6Want to know how your software security initiative stacks up against your peers? Go to www.bsimm.com to learn more. This was first published in October 2015. About Cigital Cigital is one of the world s largest application security firms. We go beyond traditional testing services to help organizations find, fix and prevent vulnerabilities in the applications that power their business. Our holistic approach to application security offers a balance of managed services, professional services and products tailored to fit your specific needs. We don t stop when the test is over. Our experts also provide remediation guidance, program design services, and training that empower you to build and maintain secure applications. BSIMM6 Brings Science to Software Security 5 www.cigital.com Cigital 21351 Ridgetop Circle Suite 400 Dulles, VA 20166 2015 Cigital

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information