BSIMM2: Leading Software Security Maturity Model Triples to Include More Real-World Data on Software Security Initiatives

Sue Marquette Poremba

Sue Marquette Poremba spoke with Sammy Migues, principal at Cigital, about the updated release of the Building Security In Maturity Model (BSIMM), which expands data-defining benchmarks for software security initiatives.

 


Poremba: What is BSIMM and its purpose?

Migues: About a year and a half ago, we felt we hit a wall in what was available to help people do real software security. There were some methodologies out there, but there wasn't much actual data that people could use. You hear about best practices all the time, but in a lot of cases, best practices are just peoples' opinions.

 

"Over the years, we've gotten a little better at making software itself better, but as far as making it secure from attackers, it's been a hit-and-miss progress. We're finding that organizations just don't know how to get started."


Sammy Migues
Principal, Cigital

What we decided was the world needed some real data, so we interviewed nine firms on how they did software security. We used the data from those interviews to build BSIMM1, which we launched in early in 2009. What we did during those interviews was observed 110 unique software security activities, and we aggregated that data under 12 software security practices. A practice is something like code review or security features and design or compliance and metrics.

 


Since then, we tripled the size of the study. We now have 30 firms in our data analysis bucket. We performed some statistical analysis on the data. We published a few of those results. The new version of the BSIMM, based on the new collected data, is called BSIMM2.

 

Poremba: Why is BSIMM2 important for the security community?

Migues: There has been a struggle for a long time on how to take those first steps in making software security actually happen. Over the years, we've gotten a little better at making software itself better, but as far as making it secure from attackers, it's been a hit-and-miss progress. We're finding that organizations just don't know how to get started. By going out and measuring how successful organizations are doing it today, and documenting it in a way that others can take and use themselves, we've given them a way to get started.

 

Why is it important? Well, because you can't check the news on any given day without hearing about some software being broken into or some data getting lost. Clearly there's a need, and if we know some people who are doing it and doing it well, why not write it down and give that information to everybody else.

 

Next page: Surprisingly, One Size Fits Most

 



Add Comment      Leave a comment on this blog post
May 21, 2010 5:16 AM Mary Mary  says:

If you are interested in learning more about security network my client Cisco is hosting Cisco Live at The Mandalay Bay Resort in Las Vegas...June 27-July 1st. 

Reply
Jun 27, 2010 11:28 AM song song  says:

Hi Sue,

BSIMM is helpful for software security assurance. I also do some work about it at http://limesurvey.oii.ox.ac.uk/index.php?sid=86911&lang=en. Would you like to spare 30 minutes to complete my survey? 

Thanks!

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 
Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data