mailing list archives
Re: BSIMM4 Released Today
From: Gary McGraw <gem () cigital com>
Date: Wed, 26 Sep 2012 21:39:23 -0400
Once every blue moon, software security makes it into the major press. BSIMM4 did it today.
I think it's great when the major players get past the "train wreck" mentality that seems to pervade security coverage.
p.s. This Dennis Fisher podcast is worth a listen too:
From: gem <gem () cigital com<mailto:gem () cigital com>>
Date: Tuesday, September 18, 2012 9:56 AM
To: Secure Code Mailing List <SC-L () securecoding org<mailto:SC-L () securecoding org>>
Cc: Sammy Migues <SMigues () cigital com<mailto:SMigues () cigital com>>, Jacob West <jbw () hp com<mailto:jbw () hp
Subject: BSIMM4 Released Today
Today we released BSIMM4, the fourth edition of the BSIMM model built directly from data observed in 51 firms. If you
ever wonder what software assurance looks like in commercial practice (and how to measure it), the BSIMM sheds plenty
of light on current practice.
Download a copy today (for free under the Creative Commons) at http://bsimm.com<http://bsimm.com/>
BSIMM4 provides insight into fifty-one of the most successful software security initiatives in the world and describes
how these initiatives evolve, change, and improve over time. The multi-year study is based on in-depth measurement of
leading enterprises including Adobe, Aon, Bank of America, Box, Capital One, The Depository Trust & Clearing
Corporation (DTCC), EMC, F-Secure, Fannie Mae, Fidelity, Google, Intel, Intuit, JPMorgan Chase & Co., Mashery,
McKesson, Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Scripps Networks,
Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Vanguard, Visa, VMware, Wells Fargo, and
Some numerical highlights of BSIMM4:
• BSIMM4 includes 51 firms from 12 industry verticals
• BSIMM4 has grown 20% since BSIMM3 and is ten times bigger than the original 2009 edition
• The BSIMM4 data set has 95 distinct measurements (some firms measured multiple times, some firms with multiple
divisions measured separately and rolled into one firm score)
• BSIMM4 continues to show that leading firms on average employ two full time software security specialists for every
• BSIMM4 describes the work of 974 software security professionals working with a development-based satellite of 2039
people to secure the software developed by 218,286 developers
Of particular interest to readers of sc-l, for the first time in the BSIMM project, new activities were observed in
addition to the original 109, resulting in the addition of two new activities to the model going forward. The
activities are: Simulate software crisis and Automate malicious code detection.
As always, your feedback is welcome.
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates