BSIMM

I've spent the last few months running around with Gary McGraw and Sammy Migues talking to organizations that represent the leading edge of software security. We talked to top software vendors, financial services companies, and technology companies. It's been fascinating for many reasons, not the least of which is how similar the leader's approaches are considering how different their businesses are. The result of these interviews is a new study we announced today called the Building Security In Maturity Model (BSIMM). BSIMM has it's own Web site. Take a look.

The meat of BSIMM is a set of real-world software security activities, all of which we observed in one or more of the organizations we studied. We've organized the activities so that you can determine where you stand with your software security initiative and how you can best evolve an initiative over time. Until now, the great majority of the published work in our field has been either small-scale (shown to works for one program or one programming team), or unproven (a bunch of good ideas that might or might not work outside the group that created them.) To my knowledge, this is the first real study of the software security practices across a range of successful organizations.

So far we've seen a warm reaction from the press and analysts. See this piece in the Wall Street Journal. But the best reactions have been from the participants. People have been really excited to see the results and learn about how they compare to their peers. We hope BSIMM will improve ties among the community of people who lead asoftware security initiative in their organization. We plan to continue adding new organizations to the model, so if you're interested, please drop me a line.