The BSIMM Nouveau Has Arrived

Gary McGraw’s team at Cigital just released version 4 of the BSIMM, the Building Security In Maturity Model. BSIMM is a survey of how software development organizations across many industries approach software security. It provides a good picture of the arsenal of techniques available to software security practitioners. EMC has been associated with BSIMM since its first release; we were one of the nine firms surveyed when the model was first built. We are delighted to see that the survey has grown to 50+ firms without major changes to the model. It tells me that we are certainly focusing the right activities.

My preferred addition to the BSIMM4 model is the new activity related to malicious code detection, an important area of our product security practice. It is an acknowledgement that the risk created by software does not solely come from unintentional mistakes made by developers or architects, but can also be intentional or malicious. I would not be surprised to see future releases of the BSIMM model add more activities related to software integrity. If you are interested in this area, I recommend the SAFECode report “Overview of Software Integrity Controls”.

To paraphrase a wine connoisseur, I can tell you that this BSIMM nouveau is a good cru.

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize