Gary McGraw gem at cigital.com
Wed May 12 13:56:43 EDT 2010

hi all,

Robert suggested that an official posting about the release of BSIMM2 might be in order on the list since it covers secure SDLC issues.  Hopefully you will agree.

In March 2009 we announced the publication of the BSIMM---a measuring stick for software security.  We're pleased today to announce the publication of BSIMM2.  We have tripled the size of the data set to thirty firms, including: Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Intel, Intuit, Microsoft, Nokia, QUALCOMM, Sallie Mae, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, VMware, and Wells Fargo.

BSIMM2 is available for free under the creative commons license from <http://bsimm2.com>.  Download your copy today.

The BSIMM2 document itself is 53 pages.  A concise treatment of the results can be found in my monthly informIT column in an article titled "BSIMM2: Measuring the Emergence of a Software Security Community":

Our study represents the work of 635 people who are members of the 30 firms' SSGs.  Together, the firms have a collective 130 years of experience planning and executing 30 software security initiatives.  Among other results, we have identified 15 core BSIMM activities.

We think the descriptive nature of the BSIMM study is an important characteristic of the work.  We describe not what you should do for software security, but what successful software security initiatives are actually doing.  Use BSIMM2 to measure your own software security initiative and compare it to others.


company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

MUSIC http://www.amazon.com/dp/B003JPNV1I/?tag=lastfmmp3-20

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list