Applying the BSIMM to Managing Risk in the Software Supply Chain
The BSIMMsc has now seen nearly eight years of use in real-world scenarios. Organizations use it primarily to separate vendors into three groups:
- Those who are clueless about software security and need encouragement to take it seriously.
- Those who have immature processes that result in software that sometimes passes a penetration test, but usually doesn’t.
- Those who clearly have the software security fundamentals for consistently generating high-quality software over time and for resilient operations that facilitate quick response when bad things happen.
Download the white paper
This white paper shows how the BSIMMsc leverages attestation and automation to function as a foundational security control for software supply chain risk management. If the BSIMM is a yardstick for an enterprise’s software security initiative, the BSIMMsc is a six-inch ruler focused on a specific risk management concern.
