Articles | In the Press | Advance Praise
Articles
- Cargo Cult Computer Security (January 28, 2010)
- BSIMM Update (SANS webcast) (January 28, 2010)
- You Really Need a Software Security Group (December 21, 2009)
- BSIMM Europe (November 10, 2009)
- BSIMM Begin (September 24, 2009)
- Measuring Software Security (June 18, 2009)
- Software Security Comes of Age (April 16, 2009)
- The Building Security In Maturity Model (BSIMM), Confessions of a Software Security Alchemist (March 16, 2009)
- Nine Things Everybody Does: Software Security Activities from the BSIMM (February 9, 2009)
- Software Security Top 10 Surprises (December 15, 2008)
- A Software Security Framework: Working Towards a Realistic Maturity Model (October 15, 2008)
In the Press
- January 28, 2010: BSIMM: A Descriptive Model of Software Security, good code.
- January 27, 2010: David Rice on Silver Bullet Security Podcast with Gary McGraw, Geekonomics.
- January 21, 2010: Special Webcast: The Impact of BSI-MM in Software Development Programs, GEEKONOMICS.
- January 20, 2010: The Building Security In Maturity Model, CERIAS Security Seminar Podcast.
- January 18, 2010: SANS Application Security Summit 2010, GEEKONOMICS.
- January 4, 2010: Software Security – An interview with Dr. Gary McGraw, Imperva Security Podcasts.
- December 31, 2009: Building Security In Maturity Model, RiskPundit.
- November 13, 2009: Interested in application (code) security?, Bloor.
- November 13, 2009: Best practices in information security, Continuity Central.
- November 12, 2009: New Study Provides Real-World Data on Leading Software Security Initiatives in Europe; First-ever European Maturity Model Details Success of SWIFT, Nokia and others, TMCnet.com.
- November 12, 2009: Cigital, Fortify tailor security model for Europe, SD Times.
- November 12, 2009: Fortify Software: New Study Provides Real-World Data on Leading Software Security Initiatives in Europe, TradingMarkets.com.
- November 11, 2009: BSIMM Europe, Business Exchange.
- November 11, 2009: Real-world data on software security initiatives, uncompiled.com.
- November 11, 2009: BSIMM Europe, Minded Security Blog.
- November 11, 2009: Real-world data on software security initiatives, Help Net Security.
- November 11, 2009: BSIMM Europe, Off by On blog (Fortify).
- November 11, 2009: BSIMM Europe, Justice League blog (Cigital).
- November 10, 2009: From Biometrics to BSIMM , & "50 Hurricanes Hitting At Once!" -- A Report on the Sixth Annual Partners Conference, CyBlog: Security, Privacy and Mobility in the Information Age.
- November 06, 2009: Gary McGraw on Software Security, the BSIMM Model and Critical Thinking, Digital Underground podcast.
- November 06, 2009: Gary McGraw on Software Security, the BSIMM Model and Critical Thinking, Gary McGraw on Software Security, the BSIMM Model and Critical Thinking.
- November 03, 2009: BSIMM Begin web survey, Chenxi Wang's Blog.
- November 2009: Fortify: New Study Provides Real-World Data on Leading Software Security Initiatives in Europe, Global Security Mag.
- October 22, 2009: Sicurezza Open, Il sole 24 ore.
- October 22, 2009: Do The Right Thing, Off by One.
- October 13, 2009: BSIMM Survey, 1 Raindrop.
- October 12, 2009: Cigital, SANS Institute Roll Out Software Security Self-Measurement With BSIMM, Silobreaker.
- October 09, 2009: Best of Application Security (Friday, Oct. 9), Jeremiah Grossman.
- October 09, 2009: SANS NewsBites Vol. 11 Num. 80, SANS NewsBites.
- October 08, 2009: Cigital, SANS Institute Roll Out Software Security Self-Measurement With BSIMM, DarkReading.
- September 28, 2009: Software security: numbers needed!, Burton Group Blogs: Security and Risk Management.
- September 25, 2009: Benchmarking Security – Are We Safe Yet?, John Pescatore (Gartner Blog Network).
- September 15, 2009: Information Security Summit 2009 - Overview, Gartner.
- June 25, 2009: The Value of Static Analysis Tools, Building Real Software.
- May 5, 2009: Donald F. Donahue: Thought Leadership, FS-ISAC.
- May 10, 2009: CyLab Business Risks Forum: Gary McGraw on Online Games, Electronic Voting and Software Security, CyBlog.
- April 20, 2009: Secure software? Experts say it's no longer a pipedream, cnet security news.
- April 19, 2009: Brian Chess and Gary McGraw AND-401: Building Security In Maturity Model (BSIMM), RSA Conference 365.
- April 16, 2009: RSA 2009, SecurityCurve.
- April 8, 2009: The Rocky Road To More Secure Code, Dark Reading.
- April 8, 2009: Building Security In Maturity Model (BSIMM), (ISC)2 Blog
- April 7, 2009: New model supports secure software coding, SearchSecurity.com Security Newsmakers.
- April 7, 2009: Software [In]security: Nine Things Everybody Does: Software Security Activities from the BSIMM, threatpost Punditry.
- April 6, 2009: Building Security In, Maturely, Emergent Chaos.
- April 01, 2009: Een maturiteitsmodel voor software security, IT Professional.
- March 31, 2009: An Experience-Based Maturity Model for Software Security, CERT Podcast.
- March 27, 2009: BSIMM lays out security blueprint, SDTimes.
- March 27, 2009: The He Got Game Rule, 1 Raindrop.
- March 25, 2009: It B-SIMM-ply Marvelous!, Enterprise Security Blog.
- March 23, 2009: Interesting links - March 23rd, Security Viewpoints.
- March 19, 2009: BSIMM Defines Best Practices For Software Security, IndicThreads.
- March 18, 2009: New Site Defines Best Practices For Software Security, PC World.
- March 18, 2009: DTCC's Software Security Program and Leadership Recognized as World-Class, DTCC PR (also: MarketWatch, PR-Inside.com).
- March 17, 2009: How to Write Apps Without the Security Sinkholes, CSO Online's Security Insights (podcast).
- March 17, 2009: First Data-Based Security Maturity Model Released, Visual Studio Magazine (also: Redmondmag.com).
- March 17, 2009: The Building Security In Maturity Model, Don't panic!.
- March 16, 2009: Web Security Readers Digest, Jeremiah Grossman's blog.
- March 16, 2009: Bezpecnostní strípky: cerv Conficker aktualizuje, Root.cz.
- March 13, 2009: Fortify & Cigital Release BSIMM -- Integrating Best Practices from Nine Software Security Initiatives, CyBlog.
- March 13, 2009: Group Launches New Best Practices For Secure Software Development, Dark Reading (also: Thoughts of a Technocrat).
- March 13, 2009: Microsoft on 'Building Security In Maturity Model', Ruminations on Architecture and Security.
- March 12, 2009: New report offers low-down on secure develoment, Network World.
- March 12, 2009: Building Security In Maturity Model (BSIMM) v1.0 Released, Jason Yuen - "Understanding Information Security".
- March 12, 2009: Building Security In Maturity Model, The Security Development Lifecycle (MSDN).
- March 12, 2009: Software Security Model - BSI-MM released, Mike Andrews.
- March 11, 2009: Building Security In Maturity Model (BSIMM), good code.
- March 11, 2009: Application Security is Journey, Not a Destination, Security Incite.
- March 11, 2009: New report offers low-down on secure develoment, Techworld.com.
- March 10, 2009: A New Hope for Software Security?, Network World (also: CSO Online).
- March 10, 2009: Modelo de Maturidade para Segurança de Software (translate), marcelosouza.com.
- March 10, 2009: Maturity model offers software security yardstick, Computer Business Review (also: Computer World UK).
- March 9, 2009: Building Security In Maturity Model Partly Applies to Detection and Response, TaoSecurity.
- March 9, 2009: Secrets of the providers detailed in new report, SC Magazine.
- March 9, 2009: BSIMM: The Building Security In Maturity Model, Infowarrior.
- March 7, 2009: Application Security: A Tool Cannot Solve What Fundamentally is a Process Problem, Gartner Blogs (Neil MacDonald).
- March 6, 2009: Building Security In Maturity Model is online, cgisecurity.com.
- March 6, 2009: New Security Maturity Model Published, Supply Chain Technology.
- March 6, 2009: CAG, BSIMM and field-assessed security, Security Balance.
- March 6, 2009: BSI-MM est arrivé!, 1Raindrop.
- March 6, 2009: Fortify models de facto security standards, CBR Security.
- March 6, 2009: Risks Digest 25.60, RISKS.
- March 6, 2009: Off the wire: Benchmarks for developing and growing an enterprise-wide software security program, Softsecurity.com.
- March 5, 2009: BSIMM lives, SC-L.
- March 5, 2009: BSIMM: Maturing the process of Building Security In., SilverStr's Blog.
- March 5, 2009: BSIMM, Pseudorandom.
- March 5, 2009: Benchmarks for developing and growing an enterprise-wide software security program, Help Net Security.
- March 5, 2009: Build Security In Maturity Model Released, Web Security Testing Cookbook blog.
- March 5, 2009: Building Security In Maturity Model, Sylvan von Stuppe.
- March 5, 2009: Announcing the Building Security In Maturity Model (BSIMM), Justice League (Cigital blog).
- March 5, 2009: New Study Provides Real-World Data on Leading Software Security Initiatives The Earth Times (also: News Blaze 1 2, Yahoo! Canada Finance, IT News Online, WTHR, Trading Markets, InfoWorld).
- March 4, 2009: New Effort Hopes to Improve Software Security, The Wall Street Journal Blog: Digits
- March 4, 2009: Gary McGraw @ OSWAP Belgian Chapter Meeting, /dev/random.
- March 4, 2009: BSIMM, Off by On (Fortify blog).
- March 4, 2009: The Building Security In Maturity Model (BSIMM), Dr. InfoSecTM.
- March 4, 2009: New Effort Hopes to Improve Software Security, All Things Digital.
- February 16, 2009: Why top lists don't work, SearchSecurity.com podcast.
Advance Praise
"Nokia's participation in the BSIMM Europe project reflects a mutual, ongoing interest in setting, updating, and maintaining the highest standards in software security. The insights gained from the BSIMM project will doubtlessly further the definition of standards, which will not only serve as critical tools for measuring and comparing, but also enable the evolution of software security initiatives."
Janne Uusilehto
Head of Product Security
Nokia
"The path of improved software security has historically been a rocky one. To make it worse, the path has rarely been properly marked. The BSIMM fills this critical gap by providing a smoother, followable track to software security improvements. This practical maturity model allows organizations to benchmark their efforts against those of enterprises who have succesful software security programs. By identifying what activities they could implement or strengthen, based on a comparison with industry best practices, organizations will be able to plan and implement activities which lead to more secure software."
Charles Kolodgy
Research Director
Secure Products
IDC
"In their groundbreaking BSIMM study, application security luminaries McGraw, Chess and Migues provide us with the guidance to achieve superior application security. They show us how we all might adopt the leading-edge practices of nine of the most advanced organizations in this space. This report will provide a huge boost to what is arguably the most critical goal of today's information professionals ... secure software."
C. Warren Axelrod, Ph.D.
Executive Advisor, Financial Services Technology Consortium
Author "Outsourcing Information Security"
"The BSIMM effort is a fabulous step forward for Software Security as a whole, since it represents what these huge enterprises are actually doing in practice. It helps us all move the discipline significantly closer to being a sound engineering practice. Kudos!"
Kenneth R. van Wyk
KRvW Associates, LLC
Co-author of "Secure Coding"
"Microsoft's Security Development Lifecycle (SDL) was one of the first real enterprise software security methodologies, and we are always eager to share our ideas and best practices with the industry. BSIMM provides a public 'yardstick' for measuring the progress of any organization's own software assurance program."
Steve Lipner
Microsoft
Co-author of "The Security Development Lifecycle"
"I was surprised by the amount of common ground discovered between the financial services organizations, ISVs, and technology companies in the BSIMM study. All software security initiatives are by no means identical, but these findings demonstrate that an organization isn't going it alone when it comes to software security—you can learn from your peers. The BSIMM encapsulates important lessons from the best programs around."
Jim Routh
CISO of Depository Trust & Clearing Corporation (DTCC)
"Comprehensive software security involves a combination of people, processes, and technologies, and it almost always requires some change to the way the organization operates. As software security comes of age, using a maturity model will only help to accelerate your enterprise security initiative."
Joe Feiman
Gartner
"Many people ask 'where do we start, and where do we go from here?' when considering building or expanding their software security initiative. Encompassing so many aspects - not the least of which are organizational rather than technical in nature—the use of a maturity model will help in setting proper strategic direction while not forgetting about the elements needed to make much-needed tactical wins."
Ramon Krikken
Analyst - Security and Risk Management Strategies
Burton Group
"EMC has made significant investments in software security with the goal of delivering more secure products to our customers. By opening our own practices to help define the Building Security in Maturity Model, we wish to help advance the adoption of software assurance practices in the industry, which is a critical objective for EMC."
Eric Baize
Senior Director, Product Security Office
EMC
"When I heard about BSIMM I let out a cheer—at long last a practical guide for those that want to do application security for real. Gary and the gang behind this deserve a real pat on the back."
Nigel Stanley
Security Practice Leader
Bloor Research
"It's great to see that someone is offering practical advice in this area. It's past time that the industry started treating software development as serious business."
Marcus J Ranum
CSO, Tenable Network Security
Inventor of the firewall
"The BSIMM goes a long way towards transforming software security from an alchemy-like art to an Empirical science. By studying real software security initiatives, Gary, Sammy and Brian have created an important yardstick for software security."
Avi Rubin, Ph.D.
Professor of Computer Science, Johns Hopkins University
Author of Brave New Ballot