By creating spider charts like these from the BSIMM data, it's possible to compare and contrast how an industry approaches software security. Not surprisingly, the data shows that financial services companies emphasize compliance and policy activities and the creation of security features and design to a greater extent than ISVs. However, the most striking result is the huge amount of overlap between the two disparate industries. Financial services and software companies generally do the same thing when it comes to software security.
Even more interesting than pooling data from multiple companies is comparing the scores of an individual company with the BSIMM averages. This can give a clear indication of how a company's software security initiative stacks up against that of others. Figure 4 shows a hypothetical company called "Firm" compared with the BSIMM average (computed over 30 firms). The hypothetical company Firm is clearly ahead of the game in some practices (strategy and metrics, security features and design, code review, and penetration testing) and just as clearly behind in some others (compliance and policy, architecture analysis, and software environment). A BSIMM spider chart provides data essential to informing an enlightened software security initiative strategy .
Table 2 is filled to the brim with useful data, including a mapping of whether the most commonly observed activities in the BSIMM (the top 15 which are highlighted in yellow) are found in the target company called "Firm" (resulting in a red or green square). Each individual activity can be compared, as can the 12 practices. Note that those practices where the firm is behind the average in the spider chart are marked in the scorecard as "blue shift" practices, and the BSIMM scorecard can automatically suggest activities to consider adopting based on how commonly they are observed in the real world.
BSIMM released its original study describing software security in nine companies in March 2009. In May, it released BSIMM2, covering 30 companies and providing statistically significant results. BSIMM plans to add more companies, and it's also been remeasuring current participants to mark the evolution in the maturity of their software security initiatives.
For Adobe, BSIMM provides a useful framework and data repository that lets its Secure Software Engineering Team measure its activities against other companies in the industry, says Brad Arkin, senior director of product security and privacy. He adds that it also helps the security team to answer questions such as "Are there things we don't do now but could or should be doing?" and "Are there things we should be doing differently because a shift in the threat landscape?"
Leveraging BSIMM
How can you leverage the BSIMM model? For starters, examine and organize your security initiatives along the lines of BSIMM's 109 activities. Think about which will work in your culture and which you're already doing. Download the BSIMM2 model (it's free and available at www.bsimm2.com). Compare your data with the BSIMM average and make your own spider charts.
If you want an objective measurement, you can join the project, be scored by the authors of the model, and have your data added to it. A BSIMM score will give you a baseline that you can use to compare your software security initiatives to other companies and show progress as your initiative matures. Bottom line, this data will let you create a software security strategy that's directly informed by what others are doing and what works.
.
