Real-world data on software security initiatives

Cigital announced an updated release of the “Building Security In Maturity Model” (BSIMM) study, which significantly expands the data defining benchmarks for successfully developing and growing an enterprise-wide software security initiative.

Launched in March 2009, BSIMM is the industry’s first and only structured set of best practices for software security based on real-world data rather than philosophy and theory.

The latest release, BSIMM2, triples the size of the original study from nine organizations to 30, across a range of seven overlapping verticals including: financial services (12), independent software vendors (7), technology firms (7), healthcare (2), insurance (2), energy (2) and media (2). BSIMM2 now reports the collective expertise of 635 people in firms with 130 years of collective experience.

Based on in-depth interviews with leading enterprises such as Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Intel, Intuit, Microsoft, Nokia, QUALCOMM, Sallie Mae, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, VMware, and Wells Fargo, among others, the BSIMM2 study provides insight into 30 of the most successful software security initiatives in the world, listing daily best practices used by these organizations to build security into their software and mitigate the business risk associated with broken software.

Using the software security framework, Chess, McGraw and Cigital co-author Sammy Migues conducted a series of in-depth fact-finding interviews with executives in charge of the 30 software security initiatives. Data were collected on each initiative’s software security activities for strategy and metrics, training, standards and requirements, security testing, code review, penetration testing, etc., and a number of common themes among each of the successful initiatives have been uncovered, including:

• The necessity of a Software Security Group (SSG): SSG size on average is 21.9 people (smallest 0.5, largest 100, median 13). The average number of developers among organizations was 5061 people (smallest 40, largest 30,000, median 3000). The numbers yield an average percentage of SSG to development of just over 1 percent, or 1 SSG member for every 100 developers.
• Commonalities among SSG structure: At the highest level of organization, SSGs come in three major flavors: those organized according to technical SDLC duties, those organized by operational duties, and those organized according to internal business units.
• Tested practices: The BSIMM clearly describes 109 activities that every organization can put into practice today.
• A software security satellite: In addition to the SSG, many software security programs have identified a number of individuals (often developers, testers, and architects) who share common software security tasks, but are not directly employed in the SSG. On average, satellite size is 39.7 people (smallest 0, largest 300, median 11). Of particular interest, nine of the 10 firms with the highest BSIMM scores have an active satellite, and only eight of the remaining 20 firms outside of the top 10 do. This suggests that the more mature a software security initiative is, the more distributed its activities are.

In conjunction with the release of BSIMM2 is the announcement of a newly created BSIMM Advisory Board helping to shepherd the emerging community and the work going forward.

The Board plans to hold the first BSIMM practitioner conference this fall in Washington, D.C. Board members include:

• Steve Lipner, Senior Director of Security Engineering Strategy, Microsoft
• Eric Baize, Senior Director, Product Security Office, EMC Corporation
• Jeff Cohen, Head of Product Security Assurance, Intel
• Janne Uusilehto, Director, Head of Product Security, Nokia
• Brad Arkin, Director of Product Security and Privacy, Adobe.