The Building Security In Maturity Model (BSIMM) presented at AUScert 2009

by Ken Van Wyk,

Summary : As a discipline, software security has made great progress over the last decade. There are now at least 25 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. In 2008, Brian Chess, Sammy Migues and I interviewed the executives running nine initiatives using the twelve practices of the Software Security Framework http://www.informit.com/articles/article.aspx?p=1271382 as our guide. Those companies among the nine who graciously agreed to be identified include: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The resulting data, drawn from real programs at different levels of maturity was used to guide the construction of the Building Security In Maturity Model. This talk will describe the maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works¬---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience. Use the software security maturity model to determine where you stand and what kind of software security plan will work best for you.