BSIMM3 Release Doubles Software Security Measurement Data and Includes Measurements Over Time
September 2011 by Marc Jacob
Cigital announced the third major release of the "Building Security In Maturity Model" (BSIMM) study. BSIMM3 continues to add real-world data defining benchmarks for successfully developing and operating an enterprise software security initiative. The study reveals that firms participating in the BSIMM project show measurable improvement in their software security initiatives over time.
BSIMM3 is a multi-year study of real-world software security initiatives, based on in-depth measurement of leading enterprises including Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Fannie Mae, Google, Intel, Intuit, McKesson, Microsoft, Nokia, QUALCOMM, Sallie Mae, SAP, Scripps Networks Interactive, Sony Ericsson, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Visa, VMware, Wells Fargo, and Zynga. The BSIMM3 study provides insight into forty-two of the most successful software security initiatives in the world, identifying activities used by these organizations to effectively plan, structure, and execute the evolution of a software security initiative.
Originally launched in March 2009, the BSIMM is the industry’s first software security measurement tool built from real-world data rather than based on philosophy and theory. BSIMM2 was released in May 2010 and tripled the size of the original study from nine organizations to thirty. BSIMM3, released today, covers forty-two firms representing a range of eight overlapping verticals including: financial services (17), independent software vendors (15), technology firms (10), telecommunications (3), insurance (2), energy (2), media (2) and healthcare (1). The current release includes 109 thoroughly updated activity descriptions and a longitudinal study describing the evolution of eleven of the forty-two firms over time.
“The BSIMM Community is made up of professional software security executives,” said Gary McGraw, Ph.D., co-author of the study and CTO of Cigital. “We have moved well past discussion of technical bugs and into the meat of how to change the development culture in a sizeable organization, and more importantly, how to measure results objectively. BSIMM is growing by leaps and bounds because it is both timely and relevant.”
The BSIMM rises to the challenge of measuring security—especially software security. “The BSIMM measurement tool and findings are extremely valuable. I use the data with my consulting clients for measurement and in my own research,” said Diana Kelly an analyst with SecurityCurve. “I recommend that companies building security in to their SDLC get involved with the BSIMM project immediately."
Using the BSIMM measuring stick, Dr. Gary McGraw, Dr. Brian Chess, and Sammy Migues conducted a series of in-person meetings with executives in charge of software security initiatives. Eleven of these sessions were conducted twice with the same firm, an average of 19 months apart, in order to determine how large-scale software security initiatives change over time.
Some highlights for the third major release of the BSIMM:
• BSIMM3 now includes 42 firms
• BSIMM3 describes 109 activities in 12 practices with 2 or more real examples for each activity
• 11 firms have been measured twice (providing Longitudinal Study data) and the data show measurable improvement
• The BSIMM3 data set has 81 distinct measurements (some firms measured twice, some firms have multiple divisions measured separately)
• BSIMM3 reveals that leading firms on average employ two full time software security specialists for every 100 developers
• BSIMM3 results show that mature software security initiatives are well rounded, with activities in all twelve practices including: strategy and metrics, compliance and policy, architecture analysis, code review, security testing, penetration testing, and configuration management.
BSIMM3 describes the work of 786 software security professionals working with a satellite of 1750 affiliated professionals to secure the software developed by 185,316 developers.
“Now that we have measurements over time, BSIMM3 includes more valuable data than ever,” said Sammy Migues, co-author of the study and Cigital Principal. “We are actively seeking more world-class firms to join the BSIMM Community as we look forward to BSIMM4.”
In addition to the release of BSIMM3, the forty-two firms participating in the BSIMM Project make up the BSIMM Community. The BSIMM Community hosts a private mailing list and an annual Conference where executives from the 42 firms gather to discuss solutions with colleagues who have faced similar issues, seek out mentors from those who are farther along a career path, and band together to solve hard problems.
"BSIMM has been instrumental in documenting software security practices that are in use by a large number of diverse organizations,” said Eric Baize, BSIMM Advisor and Senior Director of the Product Security Office at EMC Corporation.
“BSIMM3 demonstrates that security has become part of the software culture in large mature organizations. Used in conjunction with other industry guidance, BSIMM3 can help guide development organizations towards building security into their software development practices."