The Building Security in Maturity Model (BSIMM)

As a discipline, software security has made great progress over the last decade. There are now at least 36 large-scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. In 2008 the speakers, with Sammy Migues, interviewed executives running nine initiatives, using the twelve practices of the Software Security Framework as our guide. Those companies among the nine who graciously agreed to be identified include Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo.

The resulting data, drawn from real programs at different levels of maturity, was used to guide the construction of the Building Security in Maturity Model.

This talk will describe the maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works: people, process, and automation are all required. Although not all organizations need to achieve the same security goals, all successful large-scale software security initiatives share ideas and approaches.

Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience. BSIMM will help you determine where you stand and what kind of software security plan will work best for you.