A lot has been said about what companies *could do* to build secure software. Ever wonder what companies *really do*? Now you can find out — the Building Security In Maturity Model (BSIMM) recently went public. Cigital, along with Fortify, conducted the study by interviewing leaders of software security initiatives to gather facts about what activities they carry out to meet software security goals.
This is a big, big deal for our industry. It’s all about being proactive, thinking about software security from day 1, and developing a strategy for going from point A to point B to point C. We finally have good data from serious initiatives out there that shows what has worked over the years and what hasn’t. Companies included in the study that can be named: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo.
The framework that’s presented in the study is easy to read and understand. I invite you to ponder about how your organization sizes up against the nine companies included in this study. If you’re not doing the nine things everybody does, you may want to ask why.
Two other articles about BSIMM to check out:
- Software Security Top 10 Surprises (December 15, 2008)
- A Software Security Framework: Working Towards a Realistic Maturity Model (October 15, 2008)
What do you think?