BSIMM4 reports on the software security initiatives of fifty-one firms. The fifty-one participating organizations are drawn from eight verticals (with some overlap): financial services (19), independent software vendors (19), technology firms (13), cloud (13), media (4), security (3), telecommunications (3), insurance (2), energy (2), media (2), retail (2), healthcare (1), and internet service provider (1). Those companies among the fifty-one who graciously agreed to be identified include:
- Bank of America
- Capital One
- The Depository Trust &
Clearing Corporation (DTCC)
- Fannie Mae
- Goldman Sachs
- JPMorgan Chase & Co.
- Nokia Siemens Networks
- Sallie Mae
- Scripps Networks
- Sony Mobile
- Standard Life
- Telecom Italia
- Thomson Reuters
- Wells Fargo
The 51 firms participating in the BSIMM Project make up the BSIMM Community. BSIMM Community resources include:
- A moderated private mailing list
- An annual BSIMM Conference (invitation only)
- A member's section of this website
The most important use of the BSIMM is as a measuring stick to determine where your approach currently stands relative to other firms. Do this by noting which activities you already have in place, and using “activity coverage” to determine level and build a scorecard. One meaningful comparison is to chart your own maturity high water mark against the averages we have published to see how your initiative stacks up. Below, we have plotted data from a (fake) FIRM against the BSIMM Earth graph.
If you're interested in participating in the BSIMM study, your data will need to be carefully collected in an interview process much like the one we used originally. Please contact us for more information. Note that self-reported results will not be used to evolve the model.
BSIMM4 describes the work of 974 Software Security Group (SSG) members (all full-time security professionals) working with a satellite of 2039 people to secure the software developed by 218,286 developers.
This is the fourth major release of the BSIMM project. The original study included 9 firms and 9 distinct measurements. BSIMM2 included 30 firms and 42 distinct measurements (some firms include very large subsidiaries which were independently measured). BSIMM3 included 42 firms, eleven that had been re-measured, for a total set of 81 distinct measurements. BSIMM4 includes 51 firms, thirteen of which have been re-measured (with one firm measured for a third time), yielding a total set of 95 distinct measurements.
BSIMM progress is particularly good news for the observation-based model, which is based directly on hard data observed from the field. The more data we gather, the more we can say with confidence about the state of software security in the world. Our data set has reached a size where statistically significant trends can be measured and reported.
BSIMM Advisory Board
The BSIMM Advisory Board provides oversight to the project and the BSIMM community. The appointed Board currently includes:
- Eric Baize, EMC
- Jeff Cohen, JPMC
- Janne Uusilehto, Nokia
- Brad Arkin, Adobe
- Jim Routh, Aetna
- David Smith, Fidelity
Thanks to the fifty-one executives from the world-class software security initiatives we studied from around the world to create BSIMM4. They include Adobe (Brad Arkin), Aetna (Jim Routh), Aon (Danny Harris), Bank of America (Jim Apple), Box (Jason Hengels), Capital One (Bryan Orme), DTCC, EMC (Eric Baize), F-Secure (Antti Vähä-Sipilä), Fannie Mae (Ted Jestin), Fidelity (David Smith), Goldman Sachs (Phil Venables), Google (Eric Grosse), Intel, Intuit (Shaun Gordon), JPMorgan Chase & Co. (Jeff Cohen), Mashery (Chris Lippi), McKesson (Mike Wilson), Microsoft (Steve Lipner), Nokia (Janne Uusilehto), Nokia Siemens Networks (Konstantin Shemyak), QUALCOMM (Alex Gantman), Rackspace (Jim Freeman), Salesforce (Robert Fly), Sallie Mae (Jerry Archer), SAP (Gunter Bitz), Scripps Networks Interactive (Greg Allender), Sony Mobile (Per-Olof Persson), Standard Life (Mungo Carstairs and Alan Stevens), SWIFT (Peter De Gersem and Alain Desausoi), Symantec (Gary Phillips), Telecom Italia (Marco Bavazzano), Thomson Reuters (Tom Lawton and Andrew Rowson), Vanguard (Samuel M. D’Amore, Jr.), Visa (Gary Warzala), VMware (Iain Mulholland), Wells Fargo (Eric Kurnie), and Zynga (Wade Winright). To those who can’t be named, you know who you are, and we could not have done this without you.
Thanks to Gabriele Giuseppini, David Harper, John Holland, Paco Hope, Matias Madou, and Florence Mottay who helped with data collection in Europe. Thanks to Andres Cools, Partha Dutta, Nabil Hannan, Jason Hills, Troy Jones, Drew Kilbourne, Brian Mizelle, Kabir Mulchandani, Jason Rouse, Joel Scambray, Carl Schwarcz, Rajiv Sinha, and Dave Wong for help with US data collection. Thanks to Matteo Meucci (Minded Security) and Markus Schumacher (Virtual Forge) for the translations into Italian and German, respectively. Thanks to Betsy Nichols (PlexLogic) for hard-core statistical analysis in BSIMM2.
Thanks to Pravir Chandra who built a draft maturity model under contract to Fortify Software and thereby sparked this project. Thanks to John Steven for building the first software security framework, described in Chapter 10 of Software Security. Thanks to John Steven, Roger Thornton, Mike Ware, Jim DelGrosso, and Robert Hines for helping us hammer out the SSF described here.
Data for the Building Security In Maturity Model was captured by Cigital and Fortify.
Statistical analysis by Cigital and PlexLogic.