Blog archive

BSIMM's European Tour

Application security expert and Cigital CTO Dr. Gary McGraw is off to Europe this week to spread the gospel of the Building Security In Maturity Model (BSIMM). McGraw will be on the continent for a week, mostly in Germany and Switzerland.

McGraw is scheduled to speak to company developers during SAP's Quality Day today, in Mannheim, Germany. On March 16, he's off to Geneva to talk with the IT pros at CERN, and then to talk about how to start and evolve software security initiatives at the Cigital Europe Roundtable discussion. He'll also spend some time at Siemens, which is apparently taking a hard look at its security posture since Stuxnet, the first known malware that spies on and subverts industrial systems, struck last summer.

McGraw has written a bunch of must-read books on application security, including the classic (as far as I'm concerned, anyway) Software Security: Building Security In. He's also created the BSIMM with Sammy Migues, director of the Knowledge Management group at Cigital, and Dr. Brian Chess, chief scientist at HP's Fortify Software division. (HP acquired Fortify last year.)

I caught McGraw between planes last week to ask him about his trip and what we might expect in the next BSIMM release. (Think hard before you give your cell phone number.)

"We haven't really announced BSIMM3 yet, but there are two things of note coming," he said. "First, some large firms that have lots of business units internally asked us to do multiple BSIMM measurements and then come up with a roll-up score. That's a way for the CIO or central services to compare apples to apples when business units diverse. Second, we've done ten re-measurements of firms that have been involved in the BSIMM for a couple of years. The results are incredibly cool, but you'll have to wait for the summer to hear about them."

The BSIMM (pronounced "bee-simm") is the first maturity model for security initiatives created entirely from real-world data -- which is just the right approach for C-level execs.

"You have to speak to enterprises in the language they understand," observes Gartner Fellow Joseph Feiman. "Processes and methodologies are things that CIOs and department managers know. The BSIMM provides this maturity model, which would be accepted by those not on the security team. It's a very good idea, and an important first step."

A "maturity model" describes the capability of an organization's processes in a range of areas, from software engineering to personnel management. The Capability Maturity Model (CMM) is a well-known maturity model in software engineering.

The BSIMM is based on in-depth interviews with thirty well-known companies considered to have implemented the most successful software security initiatives in the world. They include among others, Microsoft, Adobe, Bank of America and Google. The organizations span seven verticals: financial services, independent software vendors, technology firms, healthcare, insurance, energy and media. The BSIMM researchers collected a range of data on each organization's software security activities, including things like strategy and metrics, standards and requirements, security testing, code review and training.

"Our goal was to build an empirical model for software security based on real, observed practices," McGraw told me when the BSIMM was first published in 2009. "We believe that the time has come to put away the bug-parade boogey man, the top-twenty-five tea leaves, the black-box Web-app goat sacrifice, and the occult reading of pen-testing entrails. This is an entirely data-driven model. If we didn't observe an activity, it didn't get into the model."

BTW: You can see Gary playing kick-ass jazz fiddle at a BSIMM mixer during the recent RSA Conference here. (I'm also a fan of his columns on informIT.)

Posted by John K. Waters on March 14, 2011