hi sc-l,
Once every blue moon, software security makes it into the major press. BSIMM4
did it today.
http://blogs.wsj.com/cio/2012/09/26/bank-cyberattacks-underscore-need-for-security-processes/
I think it's great when the major players get past the train wreck mentality
that seems to pervade security coverage.
gem
p.s. This Dennis Fisher podcast is worth a listen too:
https://threatpost.com/en_us/blogs/gary-mcgraw-bsimm4-and-how-avoid-being-slowest-zebra-092612
company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
From: gem g...@cigital.commailto:g...@cigital.com
Date: Tuesday, September 18, 2012 9:56 AM
To: Secure Code Mailing List
SC-L@securecoding.orgmailto:SC-L@securecoding.org
Cc: Sammy Migues smig...@cigital.commailto:smig...@cigital.com, Jacob West
j...@hp.commailto:j...@hp.com
Subject: BSIMM4 Released Today
hi sc-l,
Today we released BSIMM4, the fourth edition of the BSIMM model built directly
from data observed in 51 firms. If you ever wonder what software assurance
looks like in commercial practice (and how to measure it), the BSIMM sheds
plenty of light on current practice.
Download a copy today (for free under the Creative Commons) at
http://bsimm.comhttp://bsimm.com/
BSIMM4 provides insight into fifty-one of the most successful software security
initiatives in the world and describes how these initiatives evolve, change,
and improve over time. The multi-year study is based on in-depth measurement of
leading enterprises including Adobe, Aon, Bank of America, Box, Capital One,
The Depository Trust Clearing Corporation (DTCC), EMC, F-Secure, Fannie Mae,
Fidelity, Google, Intel, Intuit, JPMorgan Chase Co., Mashery, McKesson,
Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce,
Sallie Mae, SAP, Scripps Networks, Sony Mobile, Standard Life, SWIFT, Symantec,
Telecom Italia, Thomson Reuters, Vanguard, Visa, VMware, Wells Fargo, and Zynga.
Some numerical highlights of BSIMM4:
• BSIMM4 includes 51 firms from 12 industry verticals
• BSIMM4 has grown 20% since BSIMM3 and is ten times bigger than the original
2009 edition
• The BSIMM4 data set has 95 distinct measurements (some firms measured
multiple times, some firms with multiple divisions measured separately and
rolled into one firm score)
• BSIMM4 continues to show that leading firms on average employ two full time
software security specialists for every 100 developers
• BSIMM4 describes the work of 974 software security professionals working with
a development-based satellite of 2039 people to secure the software developed
by 218,286 developers
Of particular interest to readers of sc-l, for the first time in the BSIMM
project, new activities were observed in addition to the original 109,
resulting in the addition of two new activities to the model going forward. The
activities are: Simulate software crisis and Automate malicious code detection.
As always, your feedback is welcome.
gem
company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___
