This is a short introduction to BSIMM. For the full and unexpurgated model in all its glory, see the BSIMM4 document.
What is BSIMM?
BSIMM (pronounced “bee simm”) is short for Building Security In Maturity Model. The BSIMM is a study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time.
Why software security?
Software security is about building software to be secure even when it is under attack. As we have learned from years network security drama, protecting software is much easier if the software is built with security in mind. Furthermore, security is a property and not a thing, so software security involves much more than simply adding security features like SSL or passwords to software.
Who needs this stuff?
Organizations that depend on software to work (and that's pretty much everybody these days) need software that doesn't leak millions of identity records, call election results into question, gin up huge legal liabilities, or allow secrets to fall into the wrong hands. The only way to make software trustworthy is to build security in. In short, everyone who relies on software needs the BSIMM.
What makes BSIMM so special?
We built the BSIMM entirely from observations we made by studying fifty-one real software security initiatives. The BSIMM does not tell you what you should do; instead, it tells you what everyone else is actually doing. This approach stands in sharp contrast to “faith-based” approaches to software security.
Who did you study?
BSIMM4 describes the software security initiatives at fifty-one well-known companies. The full public list of participants is here. All told, the BSIMM describes the work of 974 SSG members working with a satellite of 2039 people to secure the software developed by 218,286 developers. On average, the participants have practiced software security for nearly six years (with some initiatives being brand new at first measurement and the oldest initiative being seventeen years old in September 2012). We are immensely grateful to everyone who participates in the BSIMM, including those who can't be named. Thanks guys.
Who’s actually responsible for this stuff inside these companies?
The executives in charge of the fifty-one software security initiatives we studied have a variety of titles, including: Director of IT Security and Risk Management, Director of Application Controls, Product Security Manager, Sr. Manager of Product Security, SVP of Global Risk Management, Global Head of Information Security Markets, and CISO. We observed a fairly wide spread in exactly where the SSG is situated in the firms we studied as well. In particular, 15 report to CSOs, 11 SSGs exist in the CIO’s organization, 9 exist in the CTO’s organization, 4 exist in either the General Counsel’s office or the Office of Compliance and Risk Management, 1 reports to the COO, and 1 reports directly to the founder or CEO. A number of the companies we studied did not specify where their SSG fits in the larger organization.
What's in the BSIMM?
BSIMM4 describes 111 activities organized in twelve practices according to the Software Security Framework. During the study, we kept track of how many times each activity was observed in the fifty-one firms. Here are the resulting data (to interpret individual activities, download a copy of the BSIMM document which carefully describes the 111 activities).
When we describe an activity, we give the objective, a description, and one or more real examples to illustrate how organizations made it happen. The examples are never the only way to conduct a given activity, but we think they are helpful for understanding software security reality. Note that we have added significantly to many descriptions for BSIMM4.
So now I have to go do 111 security activities? Sounds like a lot. I hope you're not expecting a big "thank you" at this point.
Never fear! There's no organization that carries out all activities. We found a surprising amount of common ground between the financial services organizations, ISVs, and technology companies we studied, but all initiatives are by no means identical, and every organization is at least a little bit different. You wouldn't implement a carbon copy of a friend's financial plan, would you? Don't expect to lift their software security initiative either. Use the BSIMM as a source of ideas and general guidance—as a trail guide rather than as a cookbook.
Why are some activities highlighted?
The twelve highlighted activities are ones we observed most often in each practice.
I’m more of a visual person. Draw a picture for me?To give you some idea of analysis capabilities provided by the BSIMM, here are three “spider graphs” showing average maturity level over some number of organizations for the twelve practices. The first graph shows data from all fifty-one BSIMM firms. The second graph shows data from the top ten firms (as determined by raw score). The third graphs shows data from the financial services vertical (nineteen firms) and independent software vendors (nineteen firms) charted together. These charts are created by noting the highest level of activity in a practice for a given firm, and then averaging those scores for a group of firms, resulting in twelve numbers (one for each practice). The spider chart has twelve spokes corresponding to the twelve practices.
One obvious comparison would be to chart your own maturity high water mark against these averages to see how your program stacks up. Note that in all of these charts, level 3 (outside edge) is considered more mature than level 0 (inside point). The average was computed using the “high water mark” method for assessing level.
So is everybody in the study equally good at software security?
Not by a long shot. By computing a score for each firm in the study, we can also take a look at relative maturity and average maturity for one firm against the others. To date, the range of observed scores is [9, 93]. We are pleased that the BSIMM study continues to grow (the data set has grown just over 20% since publication of BSIMM3 and is nine and a half times the size of the original publication). Note that our sample size of fifty-one firms is large enough for some statistically significant analysis.
Is BSIMM a standard?
BSIMM is not a standard like Control Objectives for Information and related Technology (COBIT) or the Official Rules of Table Tennis (ping-pong). Instead BSIMM describes the set of activities practiced by fifty-one of the most successful software security initiatives in the world. In that sense, it is a de facto standard because it's what organizations actually do. You could say we discovered it rather than dreamed it up.
What should I do with BSIMM?
If you don't have a software security initiative, you need one. You can use BSIMM to get started. BSIMM can help you figure out how many people you'll need in your software security group, what those people should do first, and what kinds of things they'll probably be thinking about in a few years. If you already have a software security initiative, you can use BSIMM to learn where you stand and make plans for the future.
That's so cool! Who do I pay? How much does this cost?
BSIMM is free. As in, have at it. We've released BSIMM under a creative commons license. You can take it and use it as fodder for your own internal documents or use our data set to make a model of your very own. If you do those things, you are required to tell people where the material came from. In other words, point back to the BSIMM.
Maybe you could shed some light on who "we" is, Mr. first-person-plural?
What is an SSG? Do I have to have one?
All fifty-one BSIMM participants have an internal group devoted to software security—the Software Security Group (SSG). We have never observed an organization carrying out the activities in the BSIMM successfully without an SSG. SSG size on average is 19.48 people (smallest 1, largest 100, median 7.5) with a “satellite” of others (developers, architects and people in the organization directly engaged in and promoting software security) of 40.77 people (smallest 0, largest 350, median 6). The average number of developers among our targets was 4455 people (smallest 11, largest 30,000, median 1500), yielding an average percentage of SSG to development of just over 1.95%.
Though none of the fifty-one SSGs we examined had exactly the same structure (suggesting that there is no one set way to structure an SSG), there are some commonalities we observed that are worth mentioning. At the highest level of organization, SSGs come in three major flavors: those organized according to technical SDLC duties, those organized by operational duties, and those organized according to internal business units. Some SSGs are highly distributed across a firm, and others are very centralized and policy-oriented. If we look across all of the thirty SSGs in our study, there are several common “subgroups” that are often observed. They are: people dedicated to policy/strategy and metrics; internal “services” groups that (often separately) cover tools, pen testing, and middleware development/shepherding; incidence response groups; groups responsible for training development and delivery; externally-facing marketing/communications groups; and, vendor-control groups. For more about this issue see the informIT article You Really Need an SSG.
In the numbers reported above, we noted that percentage of SSG to development of just under 2% in the fifty-one organizations we studied. That means two SSG members for every 100 developers. The largest SSG was 27.27% and the smallest was 0.05%.
If BSIMM is so important, how has the world gotten along without it for so long?
For many software makers (including ISVs, banks, healthcare providers, governments, etc), software security has been a real concern only for ten years or less. The collective "we" are just now reaching the point where enough experience has been accumulated to compare notes and talk about what works at a macro level. Secure programming, penetration testing, and the like have been topics for a while now, but the best methods for organizing humans into software security initiatives take longer to emerge.
I get it, but my boss doesn’t. How do software security initiatives get off the ground?
Over 4 years of BSIMM study, we've seen the same kind of need for software security justification as we saw back in the day before IT security became mainstream. Back then, there were executives who simply didn’t get why firewalls were necessary or how intrusion detection helped prevent a small issue from becoming a big one or how simply teaching people how to think about security could actually change a corporate culture. In those early days even managers who understood the problem intellectually might be sorely tempted to see just how long the firm could wait before it became their turn to be victimized.
In the BSIMM data pool we’ve seen software security groups (SSGs) get their charter and funding under four broad sets of circumstances:
- Executive management said “We will make secure software” and funded the means to do it (e.g., the “Gates memo” at Microsoft).
- An established upper-management group responsible for some form of compliance determined that software security is a necessary expense in the firm’s governance processes.
- The IT security crew proved that a breach was not their fault, but rather a result of the firm’s applications. As a result, a software security person was appointed in the IT ranks.
- A charismatic software security entrepreneur (e.g., in the CIO, CTO, Legal, or governance groups) worked the system to get the ball rolling and then parleyed early successes into funding for an actual program.
It seems that the hard part these days isn’t necessarily selling upper management on the problem, but selling upper management that you’re the right person to lead the solution and that you actually have a plan. If you are “responsible” for software security in the sense that you are the person to get fired after a major software security failure and you cannot get resources for a program that will address the issues, quit now. Seriously. Life is just too short for that kind of nonsense, and there are plenty of employers willing to make real use of your abilities.