And since we’re all connected, it’s crucial for the community of good guys to cooperate. After all, the bad guys cooperate regularly. The goal of the BSIMM report remains what it was when it was launched in 2008—to enable cooperation within the law-abiding community to help one another build trust into their software, not by dictating what to do but by documenting what other organizations are doing within their own software security initiatives (SSI).
That’s why the BSIMM report describes itself as a free “roadmap” to help organizations improve the security of the software that runs their enterprises. It provides detailed information from more than 130 participating organizations in verticals including cloud, financial services, financial technology, independent software vendors, insurance, Internet of Things (IoT), healthcare, and technology.
Those participants include nearly 11,900 security professionals helping more than 410,000 developers secure the software running 145,000 applications.
Each organization can decide on the best way to progress on its journey to maturity. Indeed, the whole idea of a roadmap is to show multiple routes to a destination without dictating which one to take.
But every organization needs an SSI that matches its risk profile and priorities. Because the threats are real and keep getting more sophisticated.
Software isn’t perfect—nothing is—and as daily headlines remind us, if hackers can exploit design flaws, bugs, and other defects in software, they can steal intellectual property, swipe the personal information of employees and customers, raid corporate bank accounts, undermine the physical security of a building, and take down the operations of an organization with ransomware attacks.
That means insecure software is a business risk—potentially an existential risk. And if you’re in business, you need to keep that software secure enough for you and your customers to trust it.