With the sample size of participating companies having tripled in one year, the folks behind the Building Security In Maturity Model (BSIMM) have found that most have an internal group responsible for security, and that 15 activities to ensure security are almost universally done.
The BSIMM project began in March 2009 as a joint effort between Cigital and Fortify Software to record what organizations are doing to build security into their software and organizations. Starting with input from nine companies, the number of participating organizations has grown to 30, according to Gary McGraw, CTO at security consulting firm Cigital. He said the larger sample size allowed the group to statistically validate the model, and that the levels for measuring security are sound.
McGraw explained that the BSIMM team observed 109 activities that the 30 organizations do to secure their software, and those activities are broken down into 12 “large-scale conceptual buckets,” he said, such as training or code review. Then the activities within those buckets are further divided into three levels: The things that most of the organizations do are at the first level, while level 3 is for “the rocket science, things that are rarely done but are very cool,” he added.
Organizations can download BSIMM2 to compare their own activities to what other groups are doing and plan their security strategy going forward, explained Brian Chess, cofounder and chief scientist at Fortify Software, which makes vulnerability detection software and provides security services.
Chess said that the companies studied all do good hosting and network security. “They all have firewalls, that’s no great revelation,” he said. “But there are 14 other activities that almost all the companies universally do.” The 15 most common activities can be found here.
McGraw noted that if you’re just getting started with a security model, BSIMM2 “is a good way to see what other folks are doing.” Chess noted that not all organizations will get the same results because they don’t all use the same metrics to measure their security programs.
Among the findings are that across the 30 organizations participating, the size of the security group in those companies is 1% of the size of the developer group. “That’s a healthy number,” said Sammy Migues of Cigital. “So if Microsoft has 30,000 developers, that’s a lot of people dedicated to security.”
Chess added that some of the 30 participating companies have people whom he called “satellites”—security part-timers who sometimes work with the security team but “don’t have it on their business card. The satellite concept is an example of something companies might want to steal to improve their security initiatives.”
McGraw said the BSIMM2, published under the Creative Commons license, reflects the work of 635 people in software security groups in the 30 companies. “We’re building a community of like-minded organizations, and it’s cool to watch these guys talk about what’s working for them,” he said.
Chess said that although organizations like Adobe and Bank of America do very different things, “One thing we learned is that they actually have a lot in common.” When it comes to security, Chess quipped, “there are no special snowflakes.”