At the time of the BSIMM7 release today (October 4, 2016), the BSIMM Project has been underway for eight years. During that time, the size of the data set has multiplied over 26 times from 9 measurements to 237. Additionally, the number of firms whose software security initiatives we describe has grown from 9 to 95. As my co-author Sammy would say, “Pretty not bad.”
Real objective facts and measurements are all too rare in computer security. Software security is no different. The BSIMM addresses the science problem head on and has in this way become a de facto standard for software security.
I am very proud of the BSIMM Community that we’ve built together. The collective power of 1,111 software security group (SSG) members working diligently at 95 firms (and who, incidentally, direct the work of 3,595 satellite members) is now managing the risk of 87,244 applications built by 272,782 developers. The BSIMM is making a tangible difference in the world.
BSIMM growth is accelerating at a pace never seen before in the project. The study now describes software security as practiced at 95 firms. This is particularly significant because we drop all data from firms whose assessments are over 42 months old in order to keep the BSIMM data current. Turns out that the number of firms we have added since BSIMM6 is actually 30. Impressive growth indeed.
The BSIMM is also a living model, designed to adapt and evolve as software security itself evolves. We carefully observe the BSIMM Community and make adjustments to the model based on our objective observations. This is illustrated by the addition of a new activity in BSIMM7 addressing the use of software containers. As we do with each release, we edited every single activity description in the BSIMM to make sure each one is relevant and up to date. You’ll find lots more about Agile software development and the cloud in BSIMM7.
As the BSIMM has grown, so has its reach into more business verticals. Part of the power of the BSIMM is finding a curated collection of like-minded firms whose software security lessons can be easily adapted and adopted. In BSIMM7 we added a vertical for insurance, following on the addition of the healthcare vertical in BSIMM6. We also describe data from a cloud vertical in BSIMM7. As adoption of the BSIMM continues, we expect new verticals to emerge from the data including automotive and energy.
The time between the release of BSIMM6 and the release of BSIMM7 was one year. We expect this annual cadence to continue as we move forward. With the exploding growth of our science project, we want to shorten the cycles between updates so the BSIMM Community can access and use the data as it expands. You can now expect the BSIMM to be updated on or around October 1 every year.
As the BSIMM Community grows, so does the level of activity within the community. When we built the BSIMM, our early adopters suggested that they would like to meet their fellow BSIMM users. Based on that request, we created a BSIMM Community Conference—and what a conference it is! The ability to interact and share information with the BSIMM Community in a Chatham House rules situation is an enormous benefit. In August we launched an enhanced version of the online community, enabling member firms to interact in a gated virtual environment even when the conference is not underway. So, you may turn to the BSIMM for an objective measurement of your software security capability, but it is the BSIMM Community that keeps you involved.