[Infowarrior] - BSIMM Begin released

[Richard Forno]

(Note: no compensation has been received for the posting of this  
release. ---rf)

Software Security Self-Measurement with BSIMM Begin Introduced by  
Cigital and The SANS Institute

Effort will broaden the understanding of organizations getting started  
with software security

DULLES, VA, October 8, 2009-Cigital, Inc., the largest consulting firm  
specializing in software security and quality in the world, and The  
SANS Institute, the most trusted and by far the largest source for  
information security training and certification, announce the release  
of the BSIMM Begin <http://bsi-mm.com/begin/>. BSIMM Begin is a Web- 
based study focused on introductory activities covered in the full  
Building Security In Maturity Model (BSIMM) <http://www.bsi-mm.com>.   
BSIMM Begin will significantly broaden BSIMM data collection to  
include self-reported data from firms just starting software security  
initiatives.

BSIMM was released in March 2009 based on data from nine firms. Since  
then, the size of the formally gathered data pool has nearly tripled  
and will soon be capable of providing back to the community  
statistically significant facts and guidance on how organizations are  
getting software security done.

In addition to formal BSIMM efforts, BSIMM Begin aims to significantly  
broaden data collection. To keep the survey manageable, the scope has  
been limited to the BSIMM Level 1 activities. The goals of this survey  
are two-fold: to provide participants with a solid understanding of  
where they stand with respect to foundational software security  
activities; and to provide an understanding of where they stand  
relative to everyone else that participates. BSIMM Begin will broaden  
the collective understanding of what "keeping up" really means.

The BSIMM Begin survey can be accessed from the landing site:
http://bsi-mm.com/begin/

Dr. Gary McGraw, Cigital CTO and world-renowned software security  
authority said, "The BSIMM provides a new understanding of what is  
actually happening out in the world when it comes to software security  
initiatives.  BSIMM Begin is exciting because it will broaden our data  
set to include small to medium size firms just getting started with  
software security.  In BSIMM work we let the data speak for themselves  
and leave the pontification to others."

"Software security is a critical issue for CSOs and CISOs today," said  
Derek Slater, CSO magazine editor in chief.  "There is value in  
conducting this type of research, and value adding our audience's  
voice to research. We're looking forward to reviewing and sharing the  
results."

The Software Assurance Forum for Excellence in Code (SAFECode), a non- 
profit organization exclusively dedicated to increasing trust in  
information and communications technology products and services  
through the advancement of effective software assurance methods  
supports BSIMM Begin.  SAFECode executive director, Paul Kurtz stated,  
"BSIMM is unique in its data driven, observation-based nature.  
SAFECode supports BSIMM Begin as a constructive scientific initiative  
to improve software assurance."

"The application layer is now that most significant attack vector for  
cyber criminals and other adversaries.  The BSIMM Begin model has the  
potential to be an important source of information for software  
security initiatives," said Mason Brown, Director of SANS.  "If you  
are serious about improving software security, you would be remiss if  
you didn't consider the information BSIMM provides."

BSIMM Begin does not take the place of a full BSIMM assessment. For  
example, the full BSIMM expects an organization to have a formalized  
software security group (SSG) charged with carrying out or directing  
BSIMM activities. BSIMM Begin does not assume the existence of an SSG.  
In fact, it's of interest to find who is carrying out various  
introductory software security activities without an SSG.  BSIMM Begin  
data will be segregated in a separate set of results and examined  
accordingly. The data will be published under the Creative Commons  
once they have been properly vetted and analyzed.

t Cigital
Cigital, Inc. is the largest software security and quality consulting  
firm in the world. Established in 1992, Cigital plans and implements  
initiatives that help organizations ensure their applications are  
secure and reliable while also improving how they build and deploy  
software. Our recognized experts apply a combination of proven  
methodologies, tools, and best practices to meet each client's unique  
requirements. Cigital has enabled some of the most well-known  
organizations in financial services, communications, insurance,  
hospitality, online gaming, e-commerce, and government to reduce their  
mission-critical software business risks. Cigital is headquartered  
outside Washington, D.C. with regional offices in the U.S., Europe,  
and India.

About SANS
SANS is the most trusted and by far the largest source for information  
security training and certification in the world. More than 95,000  
security professionals have been trained by SANS. SANS also develops,  
maintains, and makes available at no cost, the largest collection of  
research documents about various aspects of information security, and  
it operates the Internet's early warning system - Internet Storm  
Center. SANS was established in 1989 as a cooperative research and  
education organization. Its programs now reach more than 215,000  
security professionals around the world. Through SANS, a range of  
individuals from auditors and network administrators, to chief  
information security officers are sharing the lessons they learn and  
are jointly finding solutions to the challenges they face. At the  
heart of SANS are the many security practitioners in varied global  
organizations from corporations to universities working together to  
help the entire information security community.

Contact:
Terri Randolph
Cigital
703-404-5757
trandolph at cigital.com