The BSIMM (Building Security In Maturity Model) is gaining a measure of maturity itself – its sixth iteration went public earlier this week.
The fundamental goals remain what they were at the beginning, in 2009, according to Gary McGraw, CTO of Cigital, one of the cofounders and the BSIMM’s chief spokesman: To save software developers both headaches and money by building security into their products from the start, instead of trying to bolt it on later.
““It is a descriptive model, not prescriptive,” he said. “It doesn’t tell you what you should do. It tells you what other people are already doing.”
And BSIMM6 is able to tell you a lot more, from more verticals than in the past. Starting with a limited set of best practices culled from nine participating companies with software security initiatives in 2009, the organization now presents 112 “activities” from 78 companies – many of them among the biggest players in their respective industries. Those activities are grouped under four main “domains”: Governance, Intelligence, SSDL (Secure Software Development Lifecycle) and Deployment.
About 30 of them are common to more than two thirds of the participants. “We’re not saying you (developers) should do them all,” McGraw said, “but it lets you see what has already worked.”
Close to half the participating companies (33) are in financial services, but other major participants include independent software vendors (27) and consumer electronics (13). There are a smaller number of participants in insurance, telecommunications, security, retail and energy.
The most significant increase is in the healthcare industry, which went from a single participant three years ago to 10, and includes major names like Aetna, McKesson and Zephyr Health.
As a sector, they (healthcare) are behind,” he said. “But within that data, there are some seriously good leaders in software security, doing amazingly great things.
Gary McGraw, CTO, Cigital
Based on the data presented in the BSIMM6 report, authored by McGraw, Jacob West, chief architect at NetSuite, and Sammy Migues, principal at Cigital, healthcare falls significantly short in security practices, lagging behind every other sector – even consumer electronics, which is notorious for a lack of security because developers are more focused on trying to get new products out the door to maintain or gain market share than they are in making them secure.
In the press release announcing the launch, McGraw said the data show that healthcare organizations, “have plenty to learn from other industries when it comes to software security. Fortunately, the BSIMM community is set up to facilitate and accelerate that learning.”
Sign up for Computerworld eNewsletters.