Risk
9/18/2012
02:32 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

BSIMM4 Release Expands Software Security Measurement Tool And Describes New Activities

BSIMM4 project provides insight into 51 software security initiatives

DULLES, Va., September 18, 2012--Cigital, the world's largest consulting firm specializing in software security, today announced the fourth major release of the Building Security In Maturity Model (BSIMM) study. This release continues BSIMM's impressive growth and now describes real-world data from fifty-one firms with active software security initiatives. BSIMM4 encompasses ten times the measurement data of the original 2009 study (95 distinct measurements), and reports on two new activities, bringing the activity count going forward to 111.

The BSIMM4 project provides insight into fifty-one of the most successful software security initiatives in the world and describes how these initiatives evolve, change, and improve over time. The multi-year study is based on in-depth measurement of leading enterprises including Adobe, Aon, Bank of America, Box, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, F-Secure, Fannie Mae, Fidelity, Google, Intel, Intuit, JPMorgan Chase & Co., Mashery, McKesson, Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Scripps Networks, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Vanguard, Visa, VMware, Wells Fargo, and Zynga.

Originally launched in March 2009, the BSIMM is the industry's first software security measurement tool built from real-world data rather than based on philosophy and theory. BSIMM2 was released in May 2010 and tripled the size of the original study from nine organizations to thirty. BSIMM3 was released in September 2011 with data from forty-two firms and included a longitudinal study showing how software security initiatives have grown over time. BSIMM4, released today, covers fifty-one firms representing a range of twelve overlapping verticals including: financial services (19), independent software vendors (19), technology firms (13), cloud (13), media (4), security (3), telecommunications (3), insurance (2), energy (2), retail (2) and healthcare (1). The current release includes updated activity descriptions, two new activities and a longitudinal study.

"The BSIMM work is exciting not only because of its data-driven scientific approach to measurement, but also because of the community we have established," said Dr. Gary McGraw, Cigital's CTO. "There is nothing more satisfying than enabling top software security initiatives worldwide to cooperate in moving software security forward."

Using the BSIMM measuring stick, Dr. Gary McGraw, Sammy Migues, and Jacob West conducted a series of in-person interviews with executives in charge of the fifty-one software security initiatives to collect data for BSIMM4. For the first time in the BSIMM project, new activities were observed in addition to the original 109, resulting in the addition of two new activities to the model going forward. The activities are: Simulate software crisis and Automate malicious code detection.

Some numerical highlights of BSIMM4:

• BSIMM4 includes 51 firms from 12 industry verticals

• BSIMM4 has grown 20% since BSIMM3 and is ten times bigger than the original 2009 edition

• The BSIMM4 data set has 95 distinct measurements (some firms measured multiple times, some firms with multiple divisions measured separately and rolled into one firm score)

• BSIMM4 continues to show that leading firms on average employ two full time software security specialists for every 100 developers

BSIMM4 describes the work of 974 software security professionals working with a development-based satellite of 2039 people to secure the software developed by 218,286 developers.

"We are very pleased with the effect BSIMM is having beyond its primary use as a reflection of the state of software security," said Sammy Migues, co-author of the ongoing study and Cigital Principal. "We see it referenced directly in business partner discussions, in government and commercial acquisitions, in service level agreements, and vendor management processes."

The fifty-one firms participating in the BSIMM Project make up the BSIMM Community. The BSIMM Community hosts a private mailing list and an annual Conference where representatives gather together in an off-the-record forum to discuss day to day administration of software security initiatives. In 2011, 21 of 42 firms participated in the second annual BSIMM Community Conference hosted in Washington State. And in Spring of 2012, the first BSIMM Europe Community conference held in Amsterdam included 17 firms with a presence in the European market.

"Fidelity Investments makes use of BSIMM measurements taken over time to identify areas for improvement in our software security initiative," said David Smith, VP, Technology Risk Management, Fidelity. "Access to the BSIMM Community adds additional value both when trying to get new initiatives off the ground and when working to enhance and evolve existing initiatives. The BSIMM Community's industry leaders are knee deep in real-world software security, have a deep well of experience to draw on, and often have extremely effective initiatives well underway. As such, they provide valuable insight on how to succeed with software security at a world class level."

For more information and to access the BSIMM4 study, which is distributed free of charge under a Creative Commons license, please visit: http://bsimm.com/

About Cigital

Cigital Inc., founded in 1992, is the world's largest consulting firm specializing in software security and is the global leader in helping organizations to design, build, and maintain secure software. Our unique expertise, technologies, and training services are a culmination of over twenty years of research activities and thousands of successful software security consulting engagements at leading public and private organizations throughout the world. Cigital is headquartered outside Washington, D.C. with regional offices in the U.S., Europe, and India. For more information visit: http://www.cigital.com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Get Serious about IoT Security
Derek Manky, Global Security Strategist, Fortinet,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.