BSIMM Europe

[gem at cigital.com (Gary McGraw)]

Hi Colin,

Good question.  We did not observe any activities in European initiatives that were not in the model.  We would have 
added them to the model had we made such observations.  We followed the same data collection protocol as in the first 
BSIMM, using interviews that were open (driven by the SSF) and not asking about particular activities.

The one delta that you likely noticed in the study is that the "things that everybody does" in Europe differ from those 
in the US.  There is some discussion of that in the article.

We hope to have BSIMM II out near the end of the year.  Our analysis then should feature some statistical insight.

gem

http://www.cigital.com/~gem


On 11/11/09 6:56 AM, "Colin Cassidy" <parttimesecurityguy at googlemail.com> wrote:

Gary,

Well done to you and your team for working on this, I've read the
article and was interested in something that actually didn`t appear.
There was a lot of comparisions between the activities that all the
european sites performed, and the activities that were not performed
w.r.t. the BSIMM activities and the american founders.

However there was no mention of any activities that were unique to the
european sites, was this studied at all, and will it be incorporated
into BSIMM 2?

CJC

On Wed, Nov 11, 2009 at 6:09 AM, Gary McGraw <gem at cigital.com> wrote:
> hi sc-l,
>
> Today we officially launch BSIMM Europe, a study of 9 EU firms' software security initiatives.  We continue to focus 
> our work on large-scale software security initiatives at major software firms.  Firms in the study included: Nokia, 
> Standard Life, SWIFT, Telecom Italia, and Thomson Reuters.
>
> An informIT article can be found here: http://www.informit.com/articles/article.aspx?p=1405841
>
> The article describes our findings regarding European software security by contrast with the original BSIMM.  We have 
> tripled the size of the BSIMM study to 27 firms with several more under way.  We hope to reach 30 firms by year end.
>
> We released BSIMM v1.5 as part of the BSIMM Europe push.  The document (released under the Creative Commons) is 
> available for download and now includes and appendix about BSIMM Europe http://www.bsi-mm.com/europe/.  The original 
> document has been translated into Italian (by Minded Security) and German (by Virtual Forge).
>
> We are very excited about BSIMM progress and look forward to sharing more real data with the community.  No more 
> faith based software security!
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________