This is not a Wikipedia article: It is an individual user's work-in-progress page, and may be incomplete and/or unreliable. For guidance on developing this draft, see Wikipedia:So you made a userspace draft. Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL |
===== BSIMM (pronounced “bee simm”) is short for Building Security In Maturity Model and was originally developed in 2009 through a collaboration between Cigital and Fortify experts using data from nine companies. The BSIMM is a study of real-world software security initiatives organized so that organizations can determine where they stand with their software security initiative and how to evolve their efforts over time.
The BSIMM model is made up of 113 observed activities organized by 12 practices. The BSIMM provides real data points that allow organizations to easily determine areas of strength and weakness as it relates to their software security practices. =====
History
edit===== Wanting to bring a more scientific approach to software security Gary McGraw and Sammy Migues (Cigital) and Brian Chess (Fortify) studied the security practices at Google, Microsoft, Adobe, and other tech companies, as well as non-tech companies that write their own software like Wells Fargo, and Depository Trust & Clearing Corp.[1]
Despite developing security measures in a relative vacuum, McGraw, Migues, and Chess found a number of companies were consistent in their security practices. The BSIMM model breaks security down into 12 segments, including strategy & metrics, reviewing code, penetration testing, and architecture analysis.
Since the original release in 2009 BSIMM has undergone several revisions, the most recent update BSIMM4 was released in September 2012. =====
BSIMM4
edit===== BSIMM4 describes the software security initiatives at fifty-one well-known companies and describes the work of 974 Software Security Group members working with a satellite of 2,039 people to secure the software developed by 218,286 developers. The fifty-one participating organizations are drawn from eight verticals (with some overlap): financial services (19), independent software vendors (19), technology firms (13), cloud (13), media (4), security (3), telecommunications (3), insurance (2), energy (2), media (2), retail (2), healthcare (1), and internet service provider (1). Those companies among the fifty-one who have agreed to be identified include:[2]
- Adobe
- Aon
- Bank of America
- Box
- Capital One
- The Depository Trust & Clearing Corporation (DTCC)
- EMC
- F-Secure
- Fannie Mae
- Fidelity
- Goldman Sachs
- Intel
- Intuit
- JPMorgan Chase & Co.
- Mashery
- McKesson
- Microsoft
- Nokia
- Nokia Siemens Networks
- QUALCOMM
- Rackspace
- Salesforce
- Sallie Mae
- SAP
- Scripps Networks
- Sony Mobile
- Standard Life
- SWIFT
- Symantec
- Telecom Italia
- Thomson Reuters
- Vanguard
- Visa
- VMware
- Wells Fargo
- Zynga
=====
References
edit- ^ Worthen, Ben. "New Effort Hopes to Improve Software Security". The Wall Street Journal. Retrieved 15 May 2013.
- ^ "Facts". Retrieved 15 May 2013.