BSIMM4 Released Today

[Gary McGraw <gem () cigital com>]

hi sc-l,

Today we released BSIMM4, the fourth edition of the BSIMM model built directly from data observed in 51 firms.  If you 
ever wonder what software assurance looks like in commercial practice (and how to measure it), the BSIMM sheds plenty 
of light on current practice.

Download a copy today (for free under the Creative Commons) at http://bsimm.com<http://bsimm.com/>

BSIMM4 provides insight into fifty-one of the most successful software security initiatives in the world and describes 
how these initiatives evolve, change, and improve over time. The multi-year study is based on in-depth measurement of 
leading enterprises including Adobe, Aon, Bank of America, Box, Capital One, The Depository Trust & Clearing 
Corporation (DTCC), EMC, F-Secure, Fannie Mae, Fidelity, Google, Intel, Intuit, JPMorgan Chase & Co., Mashery, 
McKesson, Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Scripps Networks, 
Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Vanguard, Visa, VMware, Wells Fargo, and 
Zynga.

Some numerical highlights of BSIMM4:
• BSIMM4 includes 51 firms from 12 industry verticals
• BSIMM4 has grown 20% since BSIMM3 and is ten times bigger than the original 2009 edition
• The BSIMM4 data set has 95 distinct measurements (some firms measured multiple times, some firms with multiple 
divisions measured separately and rolled into one firm score)
• BSIMM4 continues to show that leading firms on average employ two full time software security specialists for every 
100 developers
• BSIMM4 describes the work of 974 software security professionals working with a development-based satellite of 2039 
people to secure the software developed by 218,286 developers

Of particular interest to readers of sc-l, for the first time in the BSIMM project, new activities were observed in 
addition to the original 109, resulting in the addition of two new activities to the model going forward. The 
activities are: Simulate software crisis and Automate malicious code detection.

As always, your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________