Community
BSIMM2 reports on data from 30 firms. The thirty organizations studied to date, all of them household names, are drawn from seven verticals (with some overlap): financial services (12), independent software vendors (7), technology firms (7), healthcare (2), insurance (2), energy (2), and media (2). Those companies among the thirty who graciously agreed to be identified include:
- Adobe
- Aon
- Bank of America
- Capital One
- EMC
- Intel
- Intuit
- Microsoft
- Nokia
- QUALCOMM
- Sallie Mae
- Standard Life
- SWIFT
- Symantec
- Telecom Italia
- The Depository Trust &
Clearing Corporation (DTCC) - Thomson Reuters
- VMware
- Wells Fargo
If you're interested in participating in the BSIMM study, your data will need to be carefully collected in an interview process much like the one we used originally. Please contact us for more information. Note that self-reported results will not be used to evolve the model.
BSIMM2 Growth
The Building Security In Maturity Model (BSIMM) was released in March 2009 with much fanfare. Since 2009, the BSIMM has evolved and expanded in several ways. Most importantly, the BSIMM study has added data for twenty-one companies to the original nine, bringing the study total to a statistically significant set of thirty firms. These data indicate the model as originally devised is robust enough to retain its utility well into the future. The BSIMM continues to grow and expand.
BSIMM Europe was a study of nine large-scale European software security initiatives. Comparing the European market for software security tools and services to the US market has traditionally involved some guesswork. Data as gathered and reported in BSIMM Europe will sheds plenty of light on the complexities of the real situation. See the article BSIMM Europe (November 10, 2009).
BSIMM2 is the second release of the model with 5 data-driven changes. Download it.
BSIMM progress is particularly good news for the observation-based model, which is based directly on hard data observed from the field. The more data we gather, the more we can say with confidence about the state of software security in the world. Our data set has reached a size where statistically significant trends can be measured and reported.
BSIMM Advisory Board
The BSIMM Advisory Board provides oversight to the project and the BSIMM community. The appointed Board currently includes:
- Steve Lipner, Microsoft
- Eric Baize, EMC
- Jeff Cohen, Intel
- Janne Uusilehto, Nokia
- Brad Arkin, Adobe
Acknowledgements
Thanks to the thirty executives from the world-class software security initiatives we studied from around the world. The thirty include Adobe (Brad Arkin), Aon (Gary Warzala), Bank of America (Jim Apple), Capital One (Bryan Orme), DTCC (Jim Routh), EMC (Eric Baize), Google (Eric Grosse), Intel (Jeff Cohen), Intuit (Shaun Gordon), Microsoft (Steve Lipner), Nokia (Antti Vähä-Sipilä and Janne Uusilehto), QUALCOMM (Alex Gantman), Sallie Mae (Jerry Archer), Standard Life (Mungo Carstairs and Alan Stevens), SWIFT (Peter De Gersem and Alain Desausoi), Symantec (Cassio Goldschmidt) Telecom Italia (Marco Bavazzano), Thomson Reuters (Tom Lawton and Andrew Rowson), VMware (Kris Inglis), and Wells Fargo (David Hahn). To those who can’t be named, you know who you are, and we could not have done this without you.
Thanks to Gabriele Giuseppini, David Harper, Florence Mottay, and Matias Madou who helped with data collection in Europe. Thanks to Troy Jones, Drew Kilbourne, Brian Mizelle, and Rajiv Sinha for help with US data collection. Thanks to Matteo Meucci (Minded Security) and Markus Schumacher (Virtual Forge) for the translations into Italian and German, respectively. Thanks to Besty Nichols (Plexlogic) for hard core statistical analysis.
Thanks to Pravir Chandra who built a draft maturity model under contract to Fortify Software and thereby sparked this project. Thanks to John Steven for building the first software security framework described in Chapter 10 of Software Security. Thanks to John Steven, Roger Thornton, Mike Ware, Jim DelGrosso, and Robert Hines for helping us hammer out the SSF described here.
Data for The Building In Security Maturity Model was captured by Cigital and Fortify. Statistical analysis by Cigital and PlexLogic.
Many thanks to our friends at Minded Security and Virtual Forge for creating BSIMM translations – your efforts will help us reach a broader audience. Everyone can download the Italian translation and the German translation.
