BSIMM is a self-described measuring stick for software security initiatives (SSI). It’s also the subject of a unique annual report that tracks the evolution of software security program implementations. BSIMM is descriptive, not prescriptive. It doesn’t tell organizations what to do—it documents what organizations are doing in near real time and lets each organization decide for itself what will work best for its SSI.
For that reason, it also functions as a roadmap to better software security. While the model, data gathering, and annual reporting are observational and descriptive, we can use the historical data to define—one might say, prescribe—how SSIs are instantiated and matured toward a destination. The destination is an SSI that is mature and effective for that organization. Of course, just as is the case with a physical roadmap, there are multiple routes to get to a destination.
All of which means that the five most popular activities observed in BSIMM12 may or may not be the best fit for each organization. But if everybody, or almost everybody, is doing them, there’s probably a good reason. Indeed, these activities are all commonly found in highly successful SSIs.
Jacob Ewers, principal consultant with the Synopsys Software Integrity Group and a coauthor of BSIMM12, said the top activities are popular because “hundreds of smart people have implemented them in nearly every SSI we’ve looked at. If you’re not learning from these organizations, you’re probably missing out on something you should be doing.”
And given that those activities have remained in the top five for four years now, Ewers said it shows they are “broadly applicable and valuable to programs of many shapes, sizes, and maturity levels. While we would not say that every firm should do these, if you’re not doing them, it’s worth investigating why.”