BSIMM 3

We've now got 42 measurements (and more in the pipeline.) This is the first year of BSIMM where we've re-measured some of the early participants. To put it in fancy terms, we're now a longitudinal survey. It's cool to see some quantifiable evidence of progress within some of these software security initiatives. We worked hard to add at least one more example to each of the 109 activities. I'm happy about how it came out.

If you're new to the BSIMM, here's just a little bit of background:
The Building Security In Maturity Model (BSIMM, pronounced "bee simm") is an observation-based scientific model directly describing the collective software security activities of forty-two software security initiatives. Participants include Adobe, Intuit, Bank of America, Microsoft, EMC, SAP, Google, Visa, Wells Fargo, and VMWare. We measure an organization by conducting an in-person interview with the executive in charge of the software security initiative. We convert what we learn during the interview into a BSIMM scorecard by identifying which of the 109 BSIMM activities the organization carries out. (Nobody does all 109.)

As always, the BSIMM comes with a Creative Commons license that allows you to use it for your own purposes so long as you include a pointer back to the BSIMM.