In the Press | Advance Praise

In the Press

BSIMM2 mentions on Twitter...

What the BSIMM community is saying

“The BSIMM is a great vehicle for helping software developers assess, develop and grow their software security practices by defining benchmarks across geographies and industries. As one of the original nine BSIMM participants, Adobe is excited to continue guiding the growth of the BSIMM as a member of the advisory board.”

Brad Arkin
Director of Product Security and Privacy
Adobe

“Building a great Software Security Program is an ongoing process, and involves many complex challenges, both technical and organizational. I look forward to Google's continued participation in the BSIMM Study, and working with a community of like-minded Software Security professionals to share experiences and lessons learned.”

Matt Moore
Product Security
Google

“The BSIMM provided us with a useful metric to assess our product security assurance initiative. It helped to validate our current approach and provided some valuable suggestions for further improvement.”

Jeffrey Cohen
Head of Product Security Assurance
Intel

“BSIMM provides valuable information the software development industry can use, and we look forward to helping define future research results. It's encouraging to see that other organizations also benefit from practices that are elements of our Security Development Lifecycle and we expect to see additional specific benefits from the next phase of BSIMM research.”

Steve Lipner
Senior Director, Security Engineering Strategy, Trustworthy Computing Group
Microsoft

“BSIMM has given us direction where to invest resources in our application security programme to get the best return. The process has been very valuable.”

Tom Lawton
Head of Information Security, Markets Division
Thomson Reuters

“The BSIMM model has been instrumental as an influence for me in designing and implementing software security programs that achieve maturity.”

Jim Routh
Former CISO
Financial Services

“The BSIMM effort has broken new ground in software security by providing real-world data on corporate software assurance activities in practice today. SAFECode believes BSIMM provides an excellent foundation for future work to both measure and advance the effectiveness of software security efforts and we are looking forward to taking a closer look at the new data provided.”

Paul Kurtz
Executive Director
Software Assurance Forum for Excellence in Code (SAFECode)

"Nokia's participation in the BSIMM Europe project reflects a mutual, ongoing interest in setting, updating, and maintaining the highest standards in software security. The insights gained from the BSIMM project will doubtlessly further the definition of standards, which will not only serve as critical tools for measuring and comparing, but also enable the evolution of software security initiatives."

Janne Uusilehto
Head of Product Security
Nokia

"The path of improved software security has historically been a rocky one. To make it worse, the path has rarely been properly marked. The BSIMM fills this critical gap by providing a smoother, followable track to software security improvements. This practical maturity model allows organizations to benchmark their efforts against those of enterprises who have succesful software security programs. By identifying what activities they could implement or strengthen, based on a comparison with industry best practices, organizations will be able to plan and implement activities which lead to more secure software."

Charles Kolodgy
Research Director
Secure Products
IDC

"In their groundbreaking BSIMM study, application security luminaries McGraw, Chess and Migues provide us with the guidance to achieve superior application security. They show us how we all might adopt the leading-edge practices of nine of the most advanced organizations in this space. This report will provide a huge boost to what is arguably the most critical goal of today's information professionals ... secure software."

C. Warren Axelrod, Ph.D.
Executive Advisor, Financial Services Technology Consortium
Author "Outsourcing Information Security"

"The BSIMM effort is a fabulous step forward for Software Security as a whole, since it represents what these huge enterprises are actually doing in practice. It helps us all move the discipline significantly closer to being a sound engineering practice. Kudos!"

Kenneth R. van Wyk
KRvW Associates, LLC
Co-author of "Secure Coding"

"Comprehensive software security involves a combination of people, processes, and technologies, and it almost always requires some change to the way the organization operates. As software security comes of age, using a maturity model will only help to accelerate your enterprise security initiative."

Joe Feiman
Gartner

"Many people ask 'where do we start, and where do we go from here?' when considering building or expanding their software security initiative. Encompassing so many aspects - not the least of which are organizational rather than technical in nature—the use of a maturity model will help in setting proper strategic direction while not forgetting about the elements needed to make much-needed tactical wins."

Ramon Krikken
Analyst - Security and Risk Management Strategies
Burton Group

"EMC has made significant investments in software security with the goal of delivering more secure products to our customers. By opening our own practices to help define the Building Security in Maturity Model, we wish to help advance the adoption of software assurance practices in the industry, which is a critical objective for EMC."

Eric Baize
Senior Director, Product Security Office
EMC

"When I heard about BSIMM I let out a cheer—at long last a practical guide for those that want to do application security for real. Gary and the gang behind this deserve a real pat on the back."

Nigel Stanley
Security Practice Leader
Bloor Research

"It's great to see that someone is offering practical advice in this area. It's past time that the industry started treating software development as serious business."

Marcus J Ranum
CSO, Tenable Network Security
Inventor of the firewall

"The BSIMM goes a long way towards transforming software security from an alchemy-like art to an Empirical science. By studying real software security initiatives, Gary, Sammy and Brian have created an important yardstick for software security."

Avi Rubin, Ph.D.
Professor of Computer Science, Johns Hopkins University
Author of Brave New Ballot