Community

BSIMM3 reports on the software security initiatives of forty-two firms. The forty-two participating organizations are drawn from eight verticals (with some overlap): financial services (17), independent software vendors (15), technology firms (10), telecommunications (3), insurance (2), energy (2), media (2), and healthcare (1). Those companies among the forty-two who graciously agreed to be identified include:

Adobe
Aon
Bank of America
Capital One
The Depository Trust &
Clearing Corporation (DTCC)
EMC
Fannie Mae
Fidelity
Google

Intel
Intuit
Mashery
McKesson
Microsoft
Nokia
QUALCOMM
Sallie Mae
SAP
Scripps Networks Interactive

Sony Ericsson
Standard Life
SWIFT
Symantec
Telecom Italia
Thomson Reuters
Visa
VMware
Wells Fargo
Zynga

The 42 firms participating in the BSIMM Project make up the BSIMM Community. BSIMM Community resources include:

A moderated private mailing list
An annual BSIMM Conference (invitation only)
A member's section of this website

Get Involved

The most important use of the BSIMM is as a measuring stick to determine where your approach currently stands relative to other firms. Do this by noting which activities you already have in place, and using “activity coverage” to determine level and build a scorecard. One meaningful comparison is to chart your own maturity high water mark against the averages we have published to see how your initiative stacks up. Below, we have plotted data from a (fake) FIRM against the BSIMM Earth graph.

If you're interested in participating in the BSIMM study, your data will need to be carefully collected in an interview process much like the one we used originally. Please contact us for more information. Note that self-reported results will not be used to evolve the model.

BSIMM3 Growth

BSIMM3 describes the work of 786 Software Security Group (SSG) members (all full time software security professionals) working with a collection of 1750 others in their firms to secure the software developed by 185,316 developers in 42 firms.

The original study (March 2009) included 9 firms and 9 distinct measurements. BSIMM2 (May 2010) included 30 firms and 42 distinct measurements (some firms include very large subsidiaries which were independently measured). BSIMM3 includes 42 firms, eleven of which have been re-measured, for a total set of 81 distinct measurements.

BSIMM Europe (November 10, 2009) was a study of nine large-scale European software security initiatives.

BSIMM progress is particularly good news for the observation-based model, which is based directly on hard data observed from the field. The more data we gather, the more we can say with confidence about the state of software security in the world. Our data set has reached a size where statistically significant trends can be measured and reported.

BSIMM Advisory Board

The BSIMM Advisory Board provides oversight to the project and the BSIMM community. The appointed Board currently includes:

Eric Baize, EMC
Jeff Cohen, Intel
Janne Uusilehto, Nokia
Brad Arkin, Adobe
Jim Routh, JPMC

Acknowledgements

Thanks to the forty-two executives from the world-class software security initiatives we studied from around the world. They include Adobe (Brad Arkin), Aon (Trey Keifer), Bank of America (Jim Apple), Capital One (Bryan Orme), DTCC, EMC (Eric Baize), Fannie Mae (Ted Jestin), Google (Eric Grosse), Intel (Jeff Cohen), Intuit (Shaun Gordon), McKesson (Mike Wilson), Microsoft (Steve Lipner), Nokia (Antti Vähä-Sipilä and Janne Uusilehto), QUALCOMM (Alex Gantman), Sallie Mae (Jerry Archer), SAP (Gunter Bitz), Scripps Networks Interactive (Greg Allender), Sony Ericsson (Per-Olof Persson), Standard Life (Mungo Carstairs and Alan Stevens), SWIFT (Peter De Gersem and Alain Desausoi), Symantec (Cassio Goldschmidt), Telecom Italia (Marco Bavazzano), Thomson Reuters (Tom Lawton and Andrew Rowson), Visa (Gary Warzala), VMware (Kris Inglis), and Wells Fargo (Eric Kurnie). To those who can’t be named, you know who you are, and we could not have done this without you.

Thanks to Gabriele Giuseppini, David Harper, John Holland, Paco Hope, Matias Madou, and Florence Mottay who helped with data collection in Europe. Thanks to Partha Dutta, Nabil Hannan, Jason Hills, Troy Jones, Drew Kilbourne, Brian Mizelle, Jason Rouse, Rajiv Sinha, and Dave Wong for help with US data collection. Thanks to Matteo Meucci (Minded Security) and Markus Schumacher (Virtual Forge) for the BSIMM2 translations into Italian and German, respectively. Thanks to Betsy Nichols (PlexLogic) for hard-core statistical analysis.

Thanks to Pravir Chandra who built a draft maturity model under contract to Fortify Software and thereby sparked this project. Thanks to John Steven for building the first software security framework, described in Chapter 10 of Software Security. Thanks to John Steven, Roger Thornton, Mike Ware, Jim DelGrosso, and Robert Hines for helping us hammer out the SSF described here.

Data for the Building In Security Maturity Model was captured by Cigital and Fortify.

Statistical analysis by Cigital and PlexLogic.

Many thanks to our friends at Minded Security and Virtual Forge for creating BSIMM translations – your efforts will help us reach a broader audience. Everyone can download the Italian translation and the German translation.