The first phase in our endeavor to bring some science to software security is at a close. Our science-y approach started with some anthropology several months ago. We asked nine firms to tell us about their software security group (SSG), its inception, its activities, and the success it has achieved. The result is the Building Security In Maturity Model authored by Gary McGraw, Brian Chess (Fortify), and me, which is out for public use at http://bsi-mm.com. We’re very pleased that the Wall Street Journal broke the news of the BSIMM release.

Please take a look at BSIMM. If you run or are active in a software security group, look at it like a yardstick. Consider the activities listed versus what your organization is doing. Look especially closely at the things all or most organizations do (e.g., http://www.informit.com/articles/article.aspx?p=1326511). If your SSG is not doing those things, you might want to consider them. If your organization needs an SSG, you should be able to use the same activities to get one started.

I want to emphasize that we could not have done this without active participation by the nine firms we interviewed. The data in BSIMM is their data. Data from the interviews we conducted were used to build the model from scratch. The examples included with the activities are real examples. After building BSIMM, we scored each organization using it. The individual scorecards, although unreleasable, are fascinating. They provide a unique glimpse into how local culture, perhaps as much or more than business imperatives, drive the approach to software security. Suffice it to say, for now, that the carrot is once again shown to be mightier than the stick.

I’ll talk more about the BSIMM and individual topics over the coming weeks.

As a final note, BSIMM is a data-driven model. The model will improve when more real-world data is added. If you’d like to discuss how to get your organization’s data into the model–and the comparison of you against others back out–please let me know at smigues -at- cigital.com.

Technorati Tags: BSIMM

This entry was posted on Thursday, March 5th, 2009 at 10:53 am and is filed under BSIMM, Software Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.