I am frequently asked about SAFECode’s opinion of the Building Security In Maturity Model (BSIMM) and how it differs from our own efforts. So, with the release of BSIMM2 today, I thought it might be a good time to talk a little about BSIMM and how it relates to our work at SAFECode.
It should go without saying that SAFECode is extremely supportive of the BSIMM work and we are thrilled with the success of BSIMM2. In fact, if you take a look at its participants, you will note that nearly all of our members have joined in the effort or are planning to join. Further, a number of our members are represented on the newly announced BSIMM Advisory Board.
So why do these companies dedicate time to both SAFECode and BSIMM?
As Gary McGraw will tell you, BSIMM is about science. It is a descriptive model for software security and provides a way to assess the state of an organization in relation to its peers. As a descriptive model, it doesn’t make judgments. It won’t tell you what to do or how to do it, and it doesn’t weigh which practices are more effective than others – it simply offers data on what is currently being done.
Actually the use of the word “simply” is a bad choice. The truth is that a tremendous amount of work went into to collecting and analyzing this data. The latest release, BSIMM2, triples the size of the original study from nine organizations to 30, across a range of seven overlapping verticals including: financial services (12), independent software vendors (7), technology firms (7), healthcare (2), insurance (2), energy (2) and media (2). BSIMM2 now reports the collective expertise of 635 people in firms with 130 years of collective experience.
This is an impressive amount of industry participation, especially when one considers the detail and scope of BSIMM2, which now offers clear descriptions of 109 software security activities in use today. The combination of broad industry participation and a hardworking BSIMM team has resulted in an extremely valuable set of data and a helpful taxonomy for describing software security practices. The question for SAFECode is how do we leverage this work to make ourselves better? And that is precisely where the two efforts come together.
At SAFECode, we also share practices amongst our members and with the industry at large. But our goal is not to be descriptive. Rather, we are working to improve on the current state-of-the-art in software assurance. SAFECode members come together to work on answers to tough questions. For instance, how can we measure which of these practices are most effective? How can our internal software security teams verify that each of our chosen practices is being done to our internal standards? How can we leverage our software assurance programs to positively impact the security of the larger IT system supply chain? How can we get better at training our teams? How can we get better at communicating with our customers?
SAFECode believes that finding answers to these questions relies in part on an objective understanding of what is being done today – and this is exactly what BSIMM offers. In this way, BSIMM2 provides not only an excellent yardstick for corporate software security programs, but also a foundation for future industry work to make us all better.
Thus when viewed together, we believe SAFECode and BSIMM are a powerful combination in the industry’s efforts to advance software security. We congratulate the BSIMM team on its successful release of BSIMM2 and we are excited about the opportunity to work with the new data.
And, of course, we invite you to join us.