Sue Marquette Poremba spoke with Sammy Migues, principal at Cigital, about the updated release of the Building Security In Maturity Model (BSIMM), which expands data-defining benchmarks for software security initiatives.
Poremba: What is BSIMM and its purpose?
Migues: About a year and a half ago, we felt we hit a wall in what was available to help people do real software security. There were some methodologies out there, but there wasn't much actual data that people could use. You hear about best practices all the time, but in a lot of cases, best practices are just peoples' opinions.
"Over the years, we've gotten a little better at making software itself better, but as far as making it secure from attackers, it's been a hit-and-miss progress. We're finding that organizations just don't know how to get started."
What we decided was the world needed some real data, so we interviewed nine firms on how they did software security. We used the data from those interviews to build BSIMM1, which we launched in early in 2009. What we did during those interviews was observed 110 unique software security activities, and we aggregated that data under 12 software security practices. A practice is something like code review or security features and design or compliance and metrics.
Since then, we tripled the size of the study. We now have 30 firms in our data analysis bucket. We performed some statistical analysis on the data. We published a few of those results. The new version of the BSIMM, based on the new collected data, is called BSIMM2.
Poremba: Why is BSIMM2 important for the security community?
Migues: There has been a struggle for a long time on how to take those first steps in making software security actually happen. Over the years, we've gotten a little better at making software itself better, but as far as making it secure from attackers, it's been a hit-and-miss progress. We're finding that organizations just don't know how to get started. By going out and measuring how successful organizations are doing it today, and documenting it in a way that others can take and use themselves, we've given them a way to get started.
Why is it important? Well, because you can't check the news on any given day without hearing about some software being broken into or some data getting lost. Clearly there's a need, and if we know some people who are doing it and doing it well, why not write it down and give that information to everybody else.
Next page: Surprisingly, One Size Fits Most