Secure Coding mailing list archives
BSIMM Begin (please take the survey today)
From: gem at cigital.com (Gary McGraw)
Date: Thu, 24 Sep 2009 10:40:46 -0400
hi sc-l, Today we launched BSIMM Begin, a web-based study focused on the most basic (and pervasive) BSIMM activities. The Building Security In Maturity Model (BSIMM) was released in March 2009. Since March, the BSIMM has evolved and expanded in several ways. Most importantly, the BSIMM study has added data for fourteen companies to the original nine, bringing the study total to twenty-three (with three further efforts underway). These data indicate the model as originally devised is robust enough to retain its utility well into the future. The new data include a number of companies that are also household names in verticals branching from ISVs and financial services into insurance and pharmaceuticals. Later this year, these data will be released under the Creative Commons as BSIMM II. BSIMM Europe is a study of nine large-scale European software security initiatives. Comparing the European market for software security tools and services to the US market has traditionally involved some guesswork. Data as gathered and reported in BSIMM Europe will shed plenty of light on the complexities of the real situation. We are interested in increasing the number of observations covering software security initiatives that are just getting started. To do that, we introduce BSIMM Begin, a Web-based study focused on 40 of the 110 activities covered in the full BSIMM. Even if your organization is just getting started with a software security initiative, we hope that you will participate in the BSIMM Begin study yourself. Not only will you help make the study more thorough, you'll also come away with some idea of how your basic software security activities stack up against those practiced by others. Take the survey now... http://bsi-mm.com/begin/ In fact, do what you can to get your friends and colleagues in other companies to take it too. The more data we gather the better off we'll all be. Note that BSIMM Begin does not take the place of a full BSIMM assessment in any way. The full study focuses on activities that can be used to measure and compare fairly mature, large-scale software security initiatives. By contrast, BSIMM Begin focuses on new initiatives that are just getting off the ground. BSIMM Begin data will be segregated in a separate set of results and analyzed accordingly. For more about the BSIMM Begin study, see this month's informIT article ("BSIMM Begin" http://www.informit.com/articles/article.aspx?p=1397805). This survey is best completed by someone with a working knowledge of the spectrum of software security activities actually being performed within a firm. BSIMM progress in the form of BSIMM Begin, BSIMM II, and BSIMM Europe is particularly good news for the observation-based model, which is based directly on hard data observed from the field. The more data we gather, the more we can say with confidence about the state of software security in the world. We're looking forward to the time (coming soon) when our data set reaches a size where statistically significant trends can be measured and reported. As always, your feedback is welcome. Thanks in advance for your help! gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com
Current thread:
- BSIMM Begin (please take the survey today) Gary McGraw (Sep 24)