Gary McGraw’s team at Cigital just released version 4 of the BSIMM, the Building Security In Maturity Model. BSIMM is a survey of how software development organizations across many industries approach software security. It provides a good picture of the arsenal of techniques available to software security practitioners. EMC has been associated with BSIMM since its first release; we were one of the nine firms surveyed when the model was first built. We are delighted to see that the survey has grown to 50+ firms without major changes to the model. It tells me that we are certainly focusing the right activities.
My preferred addition to the BSIMM4 model is the new activity related to malicious code detection, an important area of our product security practice. It is an acknowledgement that the risk created by software does not solely come from unintentional mistakes made by developers or architects, but can also be intentional or malicious. I would not be surprised to see future releases of the BSIMM model add more activities related to software integrity. If you are interested in this area, I recommend the SAFECode report “Overview of Software Integrity Controls”.
To paraphrase a wine connoisseur, I can tell you that this BSIMM nouveau is a good cru.