BSIMM Begin (please take the survey today)

[gem at cigital.com (Gary McGraw)]

hi sc-l,

Today we launched BSIMM Begin, a web-based study focused on the most basic (and pervasive) BSIMM activities.

The Building Security In Maturity Model (BSIMM) was released in March 2009. Since March, the BSIMM has evolved and 
expanded in several ways. Most importantly, the BSIMM study has added data for fourteen companies to the original nine, 
bringing the study total to twenty-three (with three further efforts underway). These data indicate the model as 
originally devised is robust enough to retain its utility well into the future. The new data include a number of 
companies that are also household names in verticals branching from ISVs and financial services into insurance and 
pharmaceuticals. Later this year, these data will be released under the Creative Commons as BSIMM II. BSIMM Europe is a 
study of nine large-scale European software security initiatives. Comparing the European market for software security 
tools and services to the US market has traditionally involved some guesswork. Data as gathered and reported in BSIMM 
Europe will shed plenty of light on the complexities of the real situation. We are interested in increasing the number 
of observations covering software security initiatives that are just getting started. To do that, we introduce BSIMM 
Begin, a Web-based study focused on 40 of the 110 activities covered in the full BSIMM. Even if your organization is 
just getting started with a software security initiative, we hope that you will participate in the BSIMM Begin study 
yourself. Not only will you help make the study more thorough, you'll also come away with some idea of how your basic 
software security activities stack up against those practiced by others. Take the survey now...  
http://bsi-mm.com/begin/ In fact, do what you can to get your friends and colleagues in other companies to take it too. 
The more data we gather the better off we'll all be. Note that BSIMM Begin does not take the place of a full BSIMM 
assessment in any way. The full study focuses on activities that can be used to measure and compare fairly mature, 
large-scale software security initiatives. By contrast, BSIMM Begin focuses on new initiatives that are just getting 
off the ground. BSIMM Begin data will be segregated in a separate set of results and analyzed accordingly. For more 
about the BSIMM Begin study, see this month's informIT article ("BSIMM Begin" 
http://www.informit.com/articles/article.aspx?p=1397805).

This survey is best completed by someone with a working knowledge of the spectrum of software security activities 
actually being performed within a firm. BSIMM progress in the form of BSIMM Begin, BSIMM II, and BSIMM Europe is 
particularly good news for the observation-based model, which is based directly on hard data observed from the field. 
The more data we gather, the more we can say with confidence about the state of software security in the world. We're 
looking forward to the time (coming soon) when our data set reaches a size where statistically significant trends can 
be measured and reported.

As always, your feedback is welcome.  Thanks in advance for your help!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com