BSIMM2

[gem at cigital.com (Gary McGraw)]

hi sc-l,

In March 2009 we announced the publication of the BSIMM---a measuring stick for software security.  We're pleased today 
to announce the publication of BSIMM2.  We have tripled the size of the data set to thirty firms, including: Adobe, 
Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Intel, Intuit, 
Microsoft, Nokia, QUALCOMM, Sallie Mae, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, VMware, and 
Wells Fargo.

BSIMM2 is available for free under the creative commons license from <http://bsimm2.com>.  Download your copy today.

The BSIMM2 document itself is 53 pages.  A concise treatment of the results can be found on the BSIMM2 web page under 
the "facts" tag: <http://bsimm2.com/facts/>

Our study represents the work of 635 people who are members of the 30 firms' SSGs.  Together, the firms have a 
collective 130 years of experience planning and executing 30 software security initiatives.  Among other results, we 
have identified 15 core BSIMM activities.

We think the descriptive nature of the BSIMM study is an important characteristic of the work.  We describe not what 
you should do for software security, but what successful software security initiatives are actually doing.  Use BSIMM2 
to measure your own software security initiative and compare it to others.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

MUSIC http://www.amazon.com/dp/B003JPNV1I/?tag=lastfmmp3-20