BSIMM for vendors


The BSIMM Community is made up of many different kinds of firms: firms that primarily acquire software, firms that primarily build and sell software, and firms that do both. Those BSIMM firms interested in promulgating software security among their software vendors are spearheading a software security vendor control model called the vBSIMM. The vBSIMM project is concerned with measuring large numbers of vendors to assess SSDL maturity and control risk.

vBSIMM (BSIMM for vendors)

Every modern enterprise uses lots of third-party software. Some of this third-party software is custom-built to specifications, some of it is commercial off-the-shelf software (COTS), and some lives in the Cloud as part of a software-as-a-service (SaaS) model. Many big firms, especially in the financial services vertical, are working hard on software security and are looking for ways to identify and manage the risk of third-party software.

Vendor control in the BSIMM: Measuring yourself

The BSIMM includes five specific activities (out of 116) that are relevant to controlling the software security risk associated with third-party vendors. These are worth calling out because they should be performed by all firms acquiring third-party software:

  1. Compliance and Policy activity 2.4: Include software security SLAs in all vendor contracts.
  2. Compliance and Policy activity 3.2: Impose policy on vendors.
  3. Standards and Requirements activity 2.5: Create SLA boilerplate.
  4. Standards and Requirements activity 3.2: Communicate standards to vendors.
  5. Training activity 3.2: Provide training for vendors or outsource workers.

Every firm that acquires third-party software (whether custom, COTS, or anything in between) should take the time to determine how well they are performing these five activities with each supplier.

Using a lightweight BSIMM derivative for vendor control

We introduced a completely revised compact, version of the BSIMM for vendors called the vBSIMM in an InformIT article, vBSIMM Take Two (BSIMM for Vendors Revised). You can think of the vBSIMM as a foundational security control for vendor management of third-party software providers.

The vBSIMM scheme is far from perfect, and it does nothing to guarantee that any particular vendor product is actually secure enough for all uses. The vBSIMM scheme is far superior to no vendor control at all, however, and in our opinion is much superior to a badness-ometer-based approach using after-the-fact penetration testing focused only on a handful of bugs.


250 / 250