Posts Tagged ‘BSIMM’

BSIMM-V: Software Security is Becoming Maintream

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

This week’s release of the fifth version of the Build Security In Maturity Model (BSIMM-V) reinforces a trend that many of us in the small world of software assurance are witnessing: Developing secure software is no longer the privilege of a few.

I have been closely involved with the BSIMM project since its first version in 2008: EMC was one of the nine companies that were surveyed to build the first version of the model. Five years later, the most astonishing data that BSIMM-V brings to light is 67: The number of firms that have contributed to building the model. The BSIMM-V document makes it clear; these firms have adopted advanced security practices as part of their software engineering process. Five years ago, I am sure that Gary McGraw and his team struggled to even find nine firms willing to share their software security practices.

The journey is far from over; the firms involved with the BSIMM project are large organizations with a well established software engineering process. We need software security to become more ubiquitous across organizations of all sizes and from all verticals. We also need software assurance to expand beyond preventing software vulnerabilities and look at the practices required to ensure the integrity and authenticity of the software code we are delivering as well as the security of the underlying engineering systems and processes that help create this code.

We still have a lot to do, but we are making good progress. Community initiatives like BSIMM provide a great vehicle to continue drive adoption of software assurance practices. Thank you to the BSIMM / Cigital team for continuously updating the model!

The BSIMM Nouveau Has Arrived

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

Gary McGraw’s team at Cigital just released version 4 of the BSIMM, the Building Security In Maturity Model. BSIMM is a survey of how software development organizations across many industries approach software security. It provides a good picture of the arsenal of techniques available to software security practitioners. EMC has been associated with BSIMM since its first release; we were one of the nine firms surveyed when the model was first built. We are delighted to see that the survey has grown to 50+ firms without major changes to the model. It tells me that we are certainly focusing the right activities.

My preferred addition to the BSIMM4 model (more…)

BSIMM 3: What’s new? What’s next?

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

An updated version (version 3) of the Building Security In Maturity Model was released this week by Cigital.

BSIMM started in 2008, as an inventory and classification of the software security practices used by practitioners across multiple industries. The updated version includes measurement from 42 firms, including 11 that have been measured twice. As a result, the inventory of software security activities has increased to 109, demonstrating that software security is an evolving field and that there is not one single way to skin the software security cat.

EMC was one of the nine firms measured by Cigital as part of the original BSIMM study and we are one the 11 firms in BSIMM 3 that have been measured twice. For us, sharing our software security practices with the industry is part of our industry outreach strategy that led us to become a co-founder of SAFECode in 2007. Enabling IT providers to improve their software security practices is an acknowledgement that the security of our customers’ products and solutions is more than the security of a single vendor’s products.

BSIMM2 – A Very Useful Reference for Software Security Practitioners

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

On May 12th, Gary McGraw and his teams from Cigital and Fortify Software released version 2 of the Building Security in Maturity Model (BSIMM). It triples the size of the software security practices analyzed by the study to a total of 30. EMC was part of the nine software security practices studied by the original BSIMM and we are delighted to see the study expanded.

The number of participants in BSIMM2 underscores how software assurance has become an integral part of the way large organizations develop software. The sharing of working software assurance controls through initiatives like BSIMM makes it easier for software development organizations of all sizes to implement similar controls. This is the main reason why EMC is a founding member of SAFECode and is also part of the BSIMM Advisory Board.

BSIMM2 gives a good starter kit to building a software security practice along with others such as the SAFECode reports or Microsoft’s Security Development Lifecycle references.