Practices that result in collections of corporate knowledge used to carry out software security activities, including both proactive security guidance and organizational threat modeling.
The penetration testing practice involves standard outside in testing of the sort carried out by security specialists. Penetration testing focuses on vulnerabilities in final configuration, and provides direct feeds to defect management and mitigation.
The software environment practice concerns itself with OS and platform patching, web application firewalls, installation and configuration documentation, application monitoring, change management, and ultimately, code signing.
The BSIMM is designed to help you understand, measure, and plan a software security initiative. The BSIMM was created by observing and analyzing real-world data from leading software security initiatives.