Building Security In Maturity Model


It's no secret I'm a big fan of the work that Gary McGraw, Brian Chess, and Sammy Migues have done on the Building Security In Maturity Model (BSIMM). The idea of any maturity model is to have a set of criteria in any process that demonstrate how maturely the process is being run. While it's not an exact science, it is a pretty good comparative model, and for any process that is not fully matured or innovating, it gives some idea what the "next steps" are to improving the process. The good news about the BSIMM is that they didn't just make up the criteria for the model - they dealt with ten companies from several industries to get a picture of what some of the mature practices are out there.

One of the great things about the results of their research is that they've released the results under the Creative Commons Attribution - Share Alike 3.0 License. But it's also good to know that the run-time testing is not limited to penetration testing by the software security group, but includes fuzzing and failure or abuse cases in QA.

Anyway, I can't provide any more valuable information that what's in the model itself. So go take a look.