View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Software
March 10, 2009

Maturity model offers software security yardstick

Outlines ten steps to success

By CBR Staff Writer

The wraps are off a maturity model for software security that gives the low-down on successful strategies and which could provide organisations with a yardstick for measuring the progress of their security initiatives.

The details of the Building Security In Maturity Model (BSIMM) have been released by Fortify Software and the security consulting firm of Cigital, following a study that draws on data from nine leading software security initiatives at businesses such as Adobe, EMC, Google, Microsoft, Qualcomm, Wells Fargo, and The Depository Trust and Clearing Corporation.

The nine were chosen because they were considered to be some of most advanced large-scale software security initiatives currently underway, said Gary McGraw CTO of Cigital.

He explained that the BSIM model maps a set of benchmarks that detail which security activities work well, and what processes need to be in place to support them.

“We set out with the intention of building an empirical model for software security, rather than something that comes across as alchemy. We wanted to build a model that fits all cases and is based on what leaders in the field do, and on their real experiences of what works best.”

As an organising feature, the researchers used a Software Security Framework (SSF), which provided them with a conceptual scaffolding for BSIMM. 

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

During the study the two sponsoring companies managed to tease out of discussions with executives leading their organisation’s software security initiatives several guiding practices.

“We didn’t go in with a checklist, but we did find that the participants were telling us the same things over and over about how they handle the security process,” Brian Chess, chief scientist and founder of Fortify told us.

All of the companies were found to have created standard approaches to security, for one, they all collect and publish attack stories for another, and they always feed back to the development group the details of software bugs found in operations monitoring.

“Some of this sounds pretty straight-forward” McGraw said, “but sadly some organisations are not going about the business of building in software security in the right way.”

According to the findings of the study there are ten core activities that all of the top software security teams are doing, and doing well. 

The data suggests that any software security group would be well advised to consider these as guiding principles.

Some of the core activities are issues of culture and business process: build support throughout the organisation and create an evangelism or internal marketing role for software security; or meet regulatory needs or customer demand with a policy and a unified approach. 

Other core activities suggest a need for automated security tools: use an encapsulated attacker perspective and integrate black box security tools into the quality assurance process (including protocol fuzzing); or demonstrate that your organisation’s code needs help by using external penetration testers to find problems.

Chess and McGraw intend to continue developing the model as more participants share data. “Properly used, BSIMM can help you determine where your organisation stands with respect to real-world software security initiatives and what steps can be taken to make your approach more effective,” Chess said.

This work is being licensed under the Creative Commons Attribution-Share Alike scheme and organisations are invited to participate. 


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.