Welcome!

Mobile IoT Authors: Liz McMillan, Dana Gardner, Zakia Bouachraoui, Yeshim Deniz, Elizabeth White

News Feed Item

BSIMM4 Release Expands Software Security Measurement Tool and Describes New Activities

Cigital Inc., the world’s largest consulting firm specializing in software security, today announced the fourth major release of the Building Security In Maturity Model (BSIMM) study. This release continues BSIMM’s impressive growth and now describes real-world data from fifty-one firms with active software security initiatives. BSIMM4 encompasses ten times the measurement data of the original 2009 study (95 distinct measurements), and reports on two new activities, bringing the activity count going forward to 111.

The BSIMM4 project provides insight into fifty-one of the most successful software security initiatives in the world and describes how these initiatives evolve, change, and improve over time. The multi-year study is based on in-depth measurement of leading enterprises including Adobe, Aon, Bank of America, Box, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, F-Secure, Fannie Mae, Fidelity, Google, Intel, Intuit, JPMorgan Chase & Co., Mashery, McKesson, Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Scripps Networks, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Vanguard, Visa, VMware, Wells Fargo, and Zynga.

Originally launched in March 2009, the BSIMM is the industry's first software security measurement tool built from real-world data rather than based on philosophy and theory. BSIMM2 was released in May 2010 and tripled the size of the original study from nine organizations to thirty. BSIMM3 was released in September 2011 with data from forty-two firms and included a longitudinal study showing how software security initiatives have grown over time. BSIMM4, released today, covers fifty-one firms representing a range of twelve overlapping verticals including: financial services (19), independent software vendors (19), technology firms (13), cloud (13), media (4), security (3), telecommunications (3), insurance (2), energy (2), retail (2) and healthcare (1). The current release includes updated activity descriptions, two new activities and a longitudinal study.

“The BSIMM work is exciting not only because of its data-driven scientific approach to measurement, but also because of the community we have established,” said Dr. Gary McGraw, Cigital’s CTO. “There is nothing more satisfying than enabling top software security initiatives worldwide to cooperate in moving software security forward.”

Using the BSIMM measuring stick, Dr. Gary McGraw, Sammy Migues, and Jacob West conducted a series of in-person interviews with executives in charge of the fifty-one software security initiatives to collect data for BSIMM4. For the first time in the BSIMM project, new activities were observed in addition to the original 109, resulting in the addition of two new activities to the model going forward. The activities are: Simulate software crisis and Automate malicious code detection.

Some numerical highlights of BSIMM4:

  • BSIMM4 includes 51 firms from 12 industry verticals
  • BSIMM4 has grown 20% since BSIMM3 and is ten times bigger than the original 2009 edition
  • The BSIMM4 data set has 95 distinct measurements (some firms measured multiple times, some firms with multiple divisions measured separately and rolled into one firm score)
  • BSIMM4 continues to show that leading firms on average employ two full time software security specialists for every 100 developers
  • BSIMM4 describes the work of 974 software security professionals working with a development-based satellite of 2039 people to secure the software developed by 218,286 developers

“We are very pleased with the effect BSIMM is having beyond its primary use as a reflection of the state of software security,” said Sammy Migues, co-author of the ongoing study and Cigital Principal. “We see it referenced directly in business partner discussions, in government and commercial acquisitions, in service level agreements, and vendor management processes.”

The fifty-one firms participating in the BSIMM Project make up the BSIMM Community. The BSIMM Community hosts a private mailing list and an annual Conference where representatives gather together in an off-the-record forum to discuss day to day administration of software security initiatives. In 2011, 21 of 42 firms participated in the second annual BSIMM Community Conference hosted in Washington State. And in Spring of 2012, the first BSIMM Europe Community conference held in Amsterdam included 17 firms with a presence in the European market.

“Fidelity Investments makes use of BSIMM measurements taken over time to identify areas for improvement in our software security initiative,” said David Smith, VP, Technology Risk Management, Fidelity. “Access to the BSIMM Community adds additional value both when trying to get new initiatives off the ground and when working to enhance and evolve existing initiatives. The BSIMM Community's industry leaders are knee deep in real-world software security, have a deep well of experience to draw on, and often have extremely effective initiatives well underway. As such, they provide valuable insight on how to succeed with software security at a world class level.”

For more information and to access the BSIMM4 study, which is distributed free of charge under a Creative Commons license, please visit: http://bsimm.com/

About Cigital

Cigital Inc., founded in 1992, is the world’s largest consulting firm specializing in software security and is the global leader in helping organizations to design, build, and maintain secure software. Our unique expertise, technologies, and training services are a culmination of over twenty years of research activities and thousands of successful software security consulting engagements at leading public and private organizations throughout the world. Cigital is headquartered outside Washington, D.C. with regional offices in the U.S., Europe, and India. For more information visit: http://www.cigital.com.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

IoT & Smart Cities Stories
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
DSR is a supplier of project management, consultancy services and IT solutions that increase effectiveness of a company's operations in the production sector. The company combines in-depth knowledge of international companies with expert knowledge utilising IT tools that support manufacturing and distribution processes. DSR ensures optimization and integration of internal processes which is necessary for companies to grow rapidly. The rapid growth is possible thanks, to specialized services an...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Scala Hosting is trusted by 50 000 customers from 120 countries and hosting 700 000+ websites. The company has local presence in the United States and Europe and runs an internal R&D department which focuses on changing the status quo in the web hosting industry. Imagine every website owner running their online business on a fully managed cloud VPS platform at an affordable price that's very close to the price of shared hosting. The efforts of the R&D department in the last 3 years made that pos...