7-lessons-learned-from-bsimm
0 likes73 views
The document discusses lessons learned from the Building Security in Maturity Model (BSIMM) based on data from over 100 software security initiatives. It provides the following key points: 1. Software security initiatives progress at different rates based on an organization's risk drivers, budget, and priorities. Mature initiatives are typically led by senior executives and have cross-functional support. 2. While security tools are important, mature organizations know that experts are also needed to properly interpret results and prioritize issues. 3. No initiative can succeed without leadership, and mature initiatives establish governance, policy, and standards set by a dedicated security group.
7-lessons-learned-from-bsimm
- 1. Security initiatives commonly start with straightforward activities, such as a security feature review, before they take on those that require more coordination, such as creating customized rule sets. You can use BSIMM to assess your level of maturity. 1. gain altitude in stages 2. Move at your own speed BSIMM shows that the rate of acceleration along the maturity curve is not the same for every organization, or even every industry. You must launch and navigate your security journey based on your own risk drivers, budget, and priorities. 4. The right crew is key BSIMM shows that many organizations rely on security testing tools, but mature organizations know tools alone are not enough to reduce risk. It takes experts to interpret results, prioritize findings and fix issues. 3. A pilot is essential No organization can have a successful software security initiative without leadership. BSIMM shows that mature initiatives are typically led by a senior executive and managed by a Software Security Group that establishes governance, policy, and standards. 5. Broad support eases the ride BSIMM shows that mature initiatives have support from people in functions other than the security team, such as developers, architects, and product owners. You must develop a “satellite” crew to raise awareness and ensure security policies are carried out. 6. Conditions will change Years of BSIMM data show that organizations change their mix of security strategies, adding new activities and replacing others, as they navigate. It’s essential to stay up to date and regularly evaluate your own tactics. HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?Eight years of data gathered from 100+ initiatives provide a bird’s eye view of software security. You can apply lessons from the Building Software Security in Maturity Model (BSIMM) to your business regardless of your industry, your size, or the mix of your applications. 7UndeniableTruthstoHelpYouMakeBetterSoftwareSecurityDecisions HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar?HOWHIGHcanyousoar? Don’tjustdriftinthewind To navigate to your final destination, you must know your launch point and accurately assess the conditions. Although BSIMM can’t guarantee a smooth ride, it can make it easer to ascend the maturity curve, even when the wind is blowing. While these truths are universal, they scratch the surface of what BSIMM can reveal. A BSIMM assessment compares your software security initiative against your peers, so you can identify strengths, uncover gaps, and determine strategies that fit your own organization. BUILDING SECURITY IN www.cigital.com 7. Chart your own course BSIMM shows that while companies begin their journey with common practices, as they ascend they pick and choose among 113 security activities to reduce risk. After you see how you compare, you can use BSIMM to make decisions that fit your company. FIRE the burnersWhat can YOU learn from a BSIMM Assessment? FindOutNow