The second release of the Building Security In Maturity Model, or BSIMM (pronounced “bee simm”) was unvealed yesterday.  The BSIMM is an observational study of real-world software security initiatives as implemented by Software Security Groups (SSGs) within 30 organizations from several vertical markets.

Software security is a relatively new practice that has evolved over the last ten years or so.  We now understand how important software security is and how expensive it is to address security after, rather than during the software development lifecycle.  The last point cannot be overstated.  Security is a property, not a feature that can added, such as using a particular protocol or bolting on cryptographic capabilities.  While the BSIMM will not tell you how to practice software security, or even what activities to embrace, it will tell you what others are doing.  This can be especially valuable if you operate in the same vertical market as one represented in the study.  Is this just a manifestation of the herd mentality?  That is doubtful since this study encompasses the leading edge of where practice is at today.  The 30 firms in the study go from Adobe to Wells Fargo with notables such as Google and Microsoft in between — certainly those with a great deal of experience in the field, so the BSIMM is not the blind leading the blind.

The BSIMM covers 109 areas in twelve practices outlined below.  These were described earlier by Gary McGraw and Brian Chess as a Software Security Framework.

Governance Intelligence SDL Touchpoints Deployment
Strategy and Metrics Attack Models Architecture Analysis Penetration Testing
Compliance and Policy Security Features and Design Code Review Software Environment
Training Standards and Requirements Security Testing Configuration Management and Vulnerability Management

Of the 109 activities, fifteen were most commonly observed.  McGraw describes those in a separate article.

The good news is that the BSIMM is free.  You can download it and perform your own internal analysis or hire a consulting firm, like McGraw’s Cigital, to help provide an independent assessment of your internal practices.  With the data in hand, you can determine how you stack up against others and decide where you need to expend extra effort to mature your software security initiative.  The BSIMM provides some nice analysis tools to help with the comparison.  For instance, the averages for the 30 organizations in the study were graphed:

BSIMM "earth"

In short, the BSIMM is a good thing.  It will be interesting to note how the state of the practice changes as a result of this study and if it can cause maturation “down market” from these very large firms.