Real-world software security initiatives study

Cigital announced the fourth major release of the Building Security In Maturity Model (BSIMM) study. This release describes real-world data from fifty-one firms with active software security initiatives.

BSIMM4 encompasses ten times the measurement data of the original 2009 study (95 distinct measurements), and reports on two new activities, bringing the activity count going forward to 111.

Originally launched in March 2009, the BSIMM is the industry’s first software security measurement tool built from real-world data rather than based on philosophy and theory. BSIMM2 was released in May 2010 and tripled the size of the original study from nine organizations to thirty. BSIMM3 was released in September 2011 with data from forty-two firms and included a longitudinal study showing how software security initiatives have grown over time. BSIMM4, released today, covers fifty-one firms representing a range of twelve overlapping verticals.

“The BSIMM work is exciting not only because of its data-driven scientific approach to measurement, but also because of the community we have established,” said Dr. Gary McGraw, Cigital’s CTO. “There is nothing more satisfying than enabling top software security initiatives worldwide to cooperate in moving software security forward.”

Using the BSIMM measuring stick, Dr. Gary McGraw, Sammy Migues, and Jacob West conducted a series of in-person interviews with executives in charge of the fifty-one software security initiatives to collect data for BSIMM4. For the first time in the BSIMM project, new activities were observed in addition to the original 109, resulting in the addition of two new activities to the model going forward. The activities are: Simulate software crisis and Automate malicious code detection.

Some numerical highlights of BSIMM4:

  • BSIMM4 includes 51 firms from 12 industry verticals
  • BSIMM4 has grown 20% since BSIMM3 and is ten times bigger than the original 2009 edition
  • The BSIMM4 data set has 95 distinct measurements (some firms measured multiple times, some firms with multiple divisions measured separately and rolled into one firm score)
  • BSIMM4 continues to show that leading firms on average employ two full time software security specialists for every 100 developers
  • BSIMM4 describes the work of 974 software security professionals working with a development-based satellite of 2039 people to secure the software developed by 218,286 developers.