CERIAS Security Seminar Archive - The Building Security In Maturity Model (BSIMM)
Gary McGraw
Oct 7, 2009
Abstract
As a discipline, software security has made great progress over the lastdecade. There are now at least 46 large scale software security initiatives
underway in enterprises including global financial services firms,
independent software vendors, defense organizations, and other verticals.
In 2008, Brian Chess, Sammy Migues and I interviewed the executives running
nine initiatives using the twelve practices of the Software Security
Framework as our guide. Those companies among the nine who graciously
agreed to be identified include: Adobe, The Depository Trust and Clearing
Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The
resulting data, drawn from real programs at different levels of maturity was
used to guide the construction of the Building Security In Maturity Model
(BSIMM). This talk will describe the observation-based maturity model,
drawing examples from many real software security programs. A maturity
model is appropriate because improving software security almost always means
changing the way an organization works---people, process, and automation
are all required. While not all organizations need to achieve the same
security goals, all successful large scale software security initiatives
share common ideas and approaches. Whether you rely on the Cigital
Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from
practical experience. Since its March release, the BSIMM is being expanded
to include BSIMM Europe, BSIMM II, and BSIMM Lite. Use the BSIMM as a
yardstick to determine where you stand and what kind of software security
plan will work best for you.
About the Speaker
company www.cigital.compodcast www.cigital.com/silverbullet
podcast www.cigital.com/realitycheck
blog www.cigital.com/justiceleague
book www.swsec.com
personal www.cigital.com/~gem
Gary McGraw is the CTO of Cigital, Inc., a software security and quality
consulting firm with headquarters in the Washington, D.C. area. He is a
globally recognized authority on software security and the author of eight
best selling books on this topic. His titles include Java Security, Building
Secure Software, Exploiting Software, Software Security, and Exploiting
Online Games; and he is editor of the Addison-Wesley Software Security
series. Dr. McGraw has also written over 100 peer-reviewed scientific
publications, authors a monthly security column for informIT, and is
frequently quoted in the press. Besides serving as a strategic counselor for
top business and IT executives, Gary is on the Advisory Boards of Fortify
Software and Raven White. His dual PhD is in Cognitive Science and Computer
Science from Indiana University where he serves on the DeanĀ¹s Advisory
Council for the School of Informatics. Gary served on the IEEE Computer
Society Board of Governors, produces the monthly Silver Bullet Security
Podcast for IEEE Security & Privacy magazine (syndicated by informIT), and
produces the Reality Check Security Podcast for CSO Online.
