Company Blog
Training by the Numbers
1992: Cigital (then Reliable Software Technologies) gets started and also delivers some training on software quality “a few hundred”: ILT days delivered from 1992 through 2006 5,000: ILT students trained from 1992 through 2006 575: ILT and tutorial days delivered from 2007 through today 9,000: ILT students trained from 2007 through today 100,000: current students [...]
Announcing BSIMM3
We announced BSIMM in March 2009 and BSIMM2 in May 2010. It’s now time for BSIMM3. Long live the BSIMM. Since the first BSIMM interview in October 2008, we’ve progressed from nine to 30 to 42 firms (and more, at this point). We’ve also measured 11 firms twice—about 19 months between measurements on average—and that [...]
BSIMM Begin
Starting this past winter, we tried an extended BSIMM-related experiment in self-reporting as a means of gathering software security activity data. We did this by directly contacting individuals and organizations to entice them to complete a survey. We called that effort BSIMM Begin. BSIMM Begin is related to the actual BSIMM, but it is not [...]
At the NRECA conference
I had the opportunity to address a group of electrical cooperatives at a recent conference in sunny Atlanta, which was actually snowy. I always welcome the challenge of bringing technical security concepts to a new audience and this was an excellent crowd. The ensuing Q&A showed the broad range of concerns from these small electrical [...]
BSIMM Europe
Today we officially launch BSIMM Europe, a study of 9 EU firms’ software security initiatives. We continue to focus our inital data gathering on large-scale software security initiatives at major software firms. Firms in the study include: Nokia, Standard Life, SWIFT, Telecom Italia, and Thomson Reuters. An informIT article can be found here. The article [...]
BSIMM Begin – Take the Survey
It really feels like software security, as a discipline, has made great progress over the last decade. To begin measuring what firms are actually doing to make software security happen, Gary McGraw, Brian Chess, and I last year interviewed the executives running nine software security initiatives, using the twelve practices of the Software Security Framework [...]
Announcing the Building Security In Maturity Model (BSIMM)
The first phase in our endeavor to bring some science to software security is at a close. Our science-y approach started with some anthropology several months ago. We asked nine firms to tell us about their software security group (SSG), its inception, its activities, and the success it has achieved. The result is the Building [...]
Please Don’t FUD the Animals
I absolutely enjoyed the insight shown by Thomas Wailgum in his recent article “How TJX Avoided Wall Street’s Wrath“, mostly because I have long been in complete agreement with the premise. With respect to security professionals, unfortunately, TJX now appears to be “the one that got away.” Let me explain, with tongue planted firmly in [...]
Additional Thoughts on “The Risk of Too Much Risk Management”
My previous post sparked comments from Mike Rothman, Alex, Christofer Hoff, Arthur, and perhaps others I haven’t seen. I sincerely appreciate everyone’s considered feedback. In this case, the feedback was to tell me I’m off-base on terminology, and that’s all good. I’m happy to take lumps when I mess something up. I really meant it [...]
The Risk of Too Much Risk Management
IT controls. Corporate governance. Decision support. Right-sized spending (another phrase I thought I coined, but I see it gets three hits in Google). These are all part of the all-too-nebulous activity often referred to as data security risk management. Let’s put a stake in the ground on what risk management means. I’m not referring to [...]
