[Infowarrior] - BSIMM: The Building Security In Maturity Model

[Richard Forno]

(Free PDF/HTML download of the Model @ the site)

http://www.bsi-mm.com/

The Building Security In Maturity Model

The Building Security In Maturity Model (BSIMM) described on this  
website is designed to help you understand and plan a software  
security initiative. BSIMM was created through a process of  
understanding and analyzing real-world data from nine leading software  
security initiatives. Though particular methodologies differ (think  
OWASP CLASP, Microsoft SDL, or the Cigital Touchpoints), many  
initiatives share common ground. This common ground is captured and  
described in BSIMM. As an organizing feature, we introduce and use a  
Software Security Framework (SSF), which provides a conceptual  
scaffolding for BSIMM. Properly used, BSIMM can help you determine  
where your organization stands with respect to real-world software  
security initiatives and what steps can be taken to make your approach  
more effective.

BSIMM is not a complete "how to" guide for software security, nor is  
it a one size fits all model. Instead, BSIMM is a collection of good  
ideas and activities that are in use today.

Software security is the result of many activities. People, process,  
and automation are all required. The SSF and BSIMM together allow us  
to discuss the myriad activities without becoming mired in details. To  
that end, we believe a simple approach that gets to the heart of the  
matter trumps an exhaustive approach with a Byzantine result.

A maturity model is appropriate because improving software security  
almost always means changing the way an organization works—something  
that doesn't happen overnight. BSIMM provides a way to assess the  
state of an organization, prioritize changes, and demonstrate  
progress. We understand that not all organizations need to achieve the  
same security goals, but we believe all organizations can be measured  
with the same yardstick.

http://www.bsi-mm.com/