Some of the real-world experiences of software security leaders at Microsoft, Google, EMC and Adobe have been captured in a study that is being developed into a set of guidelines to show enterprises how to up their game in their own software security initiatives.
Fortify Software and the security consulting firm of Cigital are behind the scheme, which will be known as the Maturity Model for Software Security.
It has come about after the companies studied the form at nine organisations, all of them household names in financial services, software houses and technology firms. They included Adobe, EMC, Google, Microsoft, Qualcomm, Wells Fargo, and The Depository Trust and Clearing Corporation.
The Maturity Model for Software Security is the first concrete example of what really works for enterprise software security, not just a set of theoretical suggestions, Fortify said.
In a company blog, chief scientist and founder of Fortify Brian Chess noted that the model is not a standard like Control Objectives for Information and related Technology (COBIT) or the Official Rules of Table Tennis. “Instead BSIMM describes the set of activities practiced by nine of the most successful software security initiatives in the world. In that sense, it is a de facto standard because it’s what organizations actually do. You could say we discovered it rather than dreamed it up.”
Protecting software is much easier if the software is built with security in mind and software security involves much more than simply adding security features like crypto, the company said.
The BSIM model maps a set of benchmarks that detail what security activities actually work and provides a yardstick for measuring and planning the progress of any software security initiative, regardless of vertical industry or organisation size.
More information is to be released on Monday.
