Monday, January 27, 2014

The best thing about BSIMM - it isn't a standard

The Building Security in Maturity Model (BSIMM) is not a standard - and that is the best part about it. Rather, BSIMM is a reflection of the secure software development practices deployed at 67 of the largest software development shops in the world, spanning software companies, financial institutions, healthcare companies, telecoms, and others. And this is what makes BSIMM great and differentiates it from standards. The BSIMM practices have been forged in the fires of threat and vulnerability and business profitability as opposed to an abstract entity from which too many security standards emanate.

In my limited experience in using BSIMM across several organizations, BSIMM is well received. Being a reflection of security practices of software development industry leaders, BSIMM changes the tone of the assessment from being viewed as an audit (somewhat adversarial) to a benchmarking study that will benefit the organization being reviewed. Companies are curious to know how they stand up against others.

BSIMM also fits well with a variety of of development methodologies and contexts, whether it be waterfall, iterative, or agile. BSIMM is also adaptable, being divided into three maturity tiers. For some organizations, it may make sense to just do tier 1 practices, while others it might make sense to do all of tier 1 and 2 and select tier three practices.

All of us in the security industry owe a big 'thank you' to the BSIMM authors - Sammy Migues, Gary McGraw, and the others. I'm looking forward to the development of observation-based security practices for other domains.