It really feels like software security, as a discipline, has made great progress over the last decade. To begin measuring what firms are actually doing to make software security happen, Gary McGraw, Brian Chess, and I last year interviewed the executives running nine software security initiatives, using the twelve practices of the Software Security Framework as our guide. We used the resulting data to guide construction of the Building Security In Maturity Model (BSIMM). A maturity model is appropriate because improving software security almost always means changing the way an organization works–people, process, and automation are all required. While not all organizations need to achieve exactly the same set of software security goals, our experience is that all successful software security initiatives share common ideas and approaches. Regardless of the details of your software development lifecycle, there is much to learn from the practical experience of others.

Since the original surveys, we’ve continued to gather data in formal interviews. And, of course, more data is always better.

But, we’d really like lots more data. In that light, I’d like to announce the BSIMM Begin survey sponsored by Cigital. BSIMM Begin is a questionnaire designed to probe a firm’s progress relative to the level one BSIMM activities. It is also an experiment in self-reporting. While we exercise great care when performing in-person formal interviews, we realize that approach doesn’t scale into the hundreds in any reasonable time frame. We’re hoping that self-reported data allows for the level of analysis that will provide meaningful results to everyone in the community and, perhaps more importantly, to those participating in the survey.

If you would like to participate on behalf of your firm, please go to http://bsi-mm.com/begin/.

Thank you very much.