You Need a Software Security Group (SSG)
The BSIMM study focuses attention on software security in large organizations and just at the moment covers the work of 1554 full time employees working every day in 26 software security initiatives. One phenomenon we observed consistently in the BSIMM is that every large initiative has a Software Security Group (SSG) to carry out and lead software security activities.
I wrote about our observations around SSGs in my December informIT article.
Simply put, an SSG is a critical part of a software security initiative in all companies with more than 100 developers. (We’re still not sure about SSGs in smaller organizations, but the BSIMM Begin data (now hovering at 75 firms) may be revealing.)
Cigital’s SSG was formed in 1997 (with John Viega, Brad Arkin, and me as founding members). Since its inception, we’ve helped plan, staff, and carry out ten large software security initiatives in customer firms. One of the most important first tasks is establishing an SSG.
December 21st, 2009 at 12:16 pm
This seems like a large investment for a company. What requirements would a smaller operation require?
December 22nd, 2009 at 2:17 pm
Hi James,
You’re right. In my view, software security is worth the investment, but such a decision ultimately depends on the business situation.
Don’t overlook the fact that the number we discovered for SSG size is a ratio…1% the size of dev. So if you only have 100 developers, that’s 1 full time person. Depending on the business that you’re that kind of number can make all kinds of sense.
We’re still not sure how very small companies should react to our findings, but we’re running BSIMM Begin to find out. Please fill out a BSIMM Begin survey today and help our cause!
gem