BSIMM lessons learned: There are no special snowflakes, but your firm is unique. People are essential but can’t do everything. And pen testing isn’t enough.
By providing actual measurement data from the field, the Building Security In Maturity Model (BSIMM) makes it possible to build a long-term plan for a software security initiative (SSI) and track progress against that plan. The BSIMM is dedicated to quantifying the activities carried out by real SSIs, to help the wider software security community plan, carry out, and measure initiatives on their own. Here are five lessons that can be taken from the BSIMM.
The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is a study of real-world software security initiatives. Quantifying the practices carried out by real software security initiatives helps security teams to plan, carry out, and measure initiatives of their own.
After reviewing the software security initiatives (SSI) of over 100 companies, we’ve uncovered several undeniable trends and truths. Here are the top 5 things you should keep in mind as you build or tweak your program.
When it comes to deciding which activities will make your software secure, the 112 security activities described in BSIMM fit every organization regardless of their industry. What works to keep financial services firms secure will work for retailers, manufacturers, and you.
While the BSIMM defines what firms are doing to make software secure, the risk drivers in any given firm will result in unique prioritization, scale, implementation, depth, breadth, and other characteristics for the activities implemented. Doing this well is a foundational necessity for ongoing cost-effectiveness and success.
Unless your firm is very small, there isn’t a single group within the organization that touches every tool, system, configuration, or entry point. Provide everyone with awareness training and recruit other people or teams to help you secure the nooks and crannies of your organization.
While you can buy any number of tools that go ‘ding’ in the night when vulnerabilities are discovered, someone has to be there to read the results, prioritize findings, and fix the issues. Good people, not tools, make the difference.
Just like a tool can’t solve the software security problem by itself, neither can penetration testing. The BSIMM highlights 12 core activities every strong SSI does and 100 more that should be considered.
By providing actual measurement data from the field, the BSIMM makes it possible to build a long-term plan for a software security initiative and track progress against that plan.