Multi-year study of real-world software security initiatives

The third major release of the “Building Security In Maturity Model” (BSIMM) study continues to add real-world data defining benchmarks for successfully developing and operating an enterprise software security initiative. The study reveals that firms participating in the BSIMM project show measurable improvement in their software security initiatives over time.

The BSIMM3 multi-year study provides insight into forty-two of the most successful software security initiatives in the world, identifying activities used by these organizations to effectively plan, structure, and execute the evolution of a software security initiative.

BSIMM3 describes the work of 786 software security professionals working with a satellite of 1750 affiliated professionals to secure the software developed by 185,316 developers.

Originally launched in March 2009, the BSIMM is the industry’s first software security measurement tool built from real-world data rather than based on philosophy and theory. BSIMM2 was released in May 2010 and tripled the size of the original study from nine organizations to thirty.

BSIMM3 covers forty-two firms representing a range of eight overlapping verticals including: financial services (17), independent software vendors (15), technology firms (10), telecommunications (3), insurance (2), energy (2), media (2) and healthcare (1). The current release includes 109 thoroughly updated activity descriptions and a longitudinal study describing the evolution of eleven of the forty-two firms over time.

The BSIMM rises to the challenge of measuring security—especially software security. “The BSIMM measurement tool and findings are extremely valuable. I use the data with my consulting clients for measurement and in my own research,” said Diana Kelly an analyst with SecurityCurve. “I recommend that companies building security in to their SDLC get involved with the BSIMM project immediately.”

Using the BSIMM measuring stick, Dr. Gary McGraw, Dr. Brian Chess, and Sammy Migues conducted a series of in-person meetings with executives in charge of software security initiatives. Eleven of these sessions were conducted twice with the same firm, an average of 19 months apart, in order to determine how large-scale software security initiatives change over time.

Some highlights for the third major release of the BSIMM:

• BSIMM3 now includes 42 firms
• BSIMM3 describes 109 activities in 12 practices with 2 or more real examples for each activity
• 11 firms have been measured twice (providing Longitudinal Study data) and the data show measurable improvement
• The BSIMM3 data set has 81 distinct measurements (some firms measured twice, some firms have multiple divisions measured separately)
• BSIMM3 reveals that leading firms on average employ two full time software security specialists for every 100 developers
• BSIMM3 results show that mature software security initiatives are well rounded, with activities in all twelve practices including: strategy and metrics, compliance and policy, architecture analysis, code review, security testing, penetration testing, and configuration management.

Enterprises contributing to the study include Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Fannie Mae, Google, Intel, Intuit, McKesson, Microsoft, Nokia, QUALCOMM, Sallie Mae, SAP, Scripps Networks Interactive, Sony Ericsson, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Visa, VMware, Wells Fargo, and Zynga.