BSIMM-V reports on the software security initiatives of sixty-seven firms drawn from twelve verticals (with some overlap): financial services (26), independent software vendors (25), cloud (16), technology firms (14), telecommunications (5), retail (4), security (4), healthcare (3), media (3), insurance (2), energy (1), and internet service provider (1). Those companies among the sixty-seven who graciously agreed to be identified include:
- Bank of America
- Capital One
- Comerica Bank
- Fannie Mae
- Goldman Sachs
- Hewlett Packard
- JPMorgan Chase & Co.
- Lender Processing Services Inc.
- Marks and Spencer
- Nokia Siemens Networks
- Pearson Learning Technologies
- Sallie Mae
- Sony Mobile
- Standard Life
- Telecom Italia
- Thomson Reuters
- Wells Fargo
The 67 firms participating in the BSIMM Project make up the BSIMM Community. BSIMM Community resources include:
- A moderated private mailing list
- An annual BSIMM Conference (invitation only)
- A member's section of this website
The most important use of the BSIMM is as a measuring stick to determine where your approach currently stands relative to other firms. Do this by noting which activities you already have in place, and using “activity coverage” to determine level and build a scorecard. One meaningful comparison is to chart your own maturity high water mark against the averages we have published to see how your initiative stacks up. Below, we have plotted data from a (fake) FIRM against the BSIMM Earth graph.
If you're interested in participating in the BSIMM study, your data will need to be carefully collected in an interview process much like the one we used originally. Please contact us for more information. Note that self-reported results will not be used to evolve the model.
BSIMM-V describes the work of 975 Software Security Group (SSG) members (all full-time security professionals) working with a satellite of 1,953 people to secure the software developed by 272,358 developers.
This is the fifth major release of the BSIMM project. The original study included 9 firms and 9 distinct measurements. BSIMM2 included 30 firms and 42 distinct measurements (some firms include very large subsidiaries which were independently measured). BSIMM3 included 42 firms, eleven that had been re-measured, for a total set of 81 distinct measurements. BSIMM4 included 51 firms, thirteen that had been re-measured (with one firm measured for a third time), yielding a total set of 95 distinct measurements. BSIMM-V includes 67 firms, 21 of which have been remeasured (with 4 firms measured for a third time), yielding a total set of 161 distinct measurements. As of BSIMM-V, 5 firms (representing 5 distinct measurements) have been dropped because their measurements were more than 48 months old.
BSIMM progress is particularly good news for the observation-based model, which is based directly on hard data observed from the field. The more data we gather, the more we can say with confidence about the state of software security in the world. Our data set has reached a size where statistically significant trends can be measured and reported.
BSIMM Advisory Board
The BSIMM Advisory Board provides oversight to the project and the BSIMM community. The appointed Board currently includes:
- Eric Baize, EMC
- Jeff Cohen, JPMC
- Janne Uusilehto, Nokia
- Brad Arkin, Adobe
- Jim Routh, Aetna
- David Smith, Fidelity
- Jacob West, HP
Thanks to the sixty-seven executives from the world-class software security initiatives we studied from around the world to create BSIMM-V. They include: Adobe (Brad Arkin), Aetna (Jim Routh), Bank of America (Jim Apple), Box, Capital One (Keith Gordon), Comerica Bank (George Smirnoff), EMC (Eric Baize), Epsilon (Chris Ray), F-Secure (Antti Vähä-Sipilä), Fannie Mae (Stan Wisseman), Fidelity (David Smith), Goldman Sachs (Phil Venables), HSBC (Malcolm Kelly and Simon Hales), Intel, Intuit, JPMorgan Chase & Co. (Jeff Cohen), Lender Processing Services Inc., Marks and Spencer (Noel Dunne), Mashery (Chris Lippi), McAfee (James Ransome), McKesson (Mike Wilson), Microsoft (Steve Lipner), NetSuite (Brian Chess), Neustar (Jonathan Coombes), Nokia (Janne Uusilehto), Nokia Siemens Networks (Konstantin Shemyak), PayPal (Erick Lee), Pearson Learning Technologies (Aaron Weaver), QUALCOMM (Alex Gantman), Rackspace (Jim Freeman), Salesforce (Robert Fly), Sallie Mae (Jerry Archer), SAP (Gerhard Oswald), Sony Mobile (Per-Olof Persson), Standard Life (Alan Stevens), SWIFT (Peter De Gersem and Alain Desausoi), Symantec (Gary Phillips), Telecom Italia (Marco Bavazzano), Thomson Reuters (Timothy Mathias), TomTom (Xander Heemskerk), Vanguard (Samuel M. D'Amore, Jr.), Visa (Gary Warzala), VMware (Iain Mulholland), Wells Fargo (Steve Adegbite), and Zynga. To those who can't be named, you know who you are, and we could not have done this without you.
Thanks to Gabriele Giuseppini, David Harper, John Holland, Paco Hope, Matias Madou, and Florence Mottay who helped with data collection in Europe. Thanks to Andres Cools, Partha Dutta, Nabil Hannan, Jason Hills, Girish Janardhanudu, Troy Jones, Drew Kilbourne, Todd Lukens, Brian Mizelle, Kabir Mulchandani, Jason Rouse, Joel Scambray, Jay Schulman, Carl Schwarcz, Rajiv Sinha, Mike Ware, Caroline Wong, and Dave Wong for help with U.S. data collection. Thanks to Matteo Meucci (Minded Security), Markus Schumacher (Virtual Forge), and Susana Romaniz and team (UTN-FRSF) and Ivan Arce (Fundación Sadosky) for the translations into Italian, German, and Spanish, respectively. Thanks to Betsy Nichols (PlexLogic) for hard-core statistical analysis in BSIMM2.
Thanks to Pravir Chandra who built a draft maturity model under contract to Fortify Software and thereby sparked this project. Thanks to John Steven for building the first software security framework, described in Chapter 10 of Software Security. Thanks to John Steven, Roger Thornton, Mike Ware, Jim DelGrosso, and Robert Hines for helping us hammer out the SSF described here.
Data for the Building Security In Maturity Model was captured by Cigital and Fortify.
BSIMM model translations by VirtualForge (German), Minded Security (Italian), and UTN-FRSF and Fundación Sadosky (Spanish).
Statistical analysis by Cigital and PlexLogic.