Today SAFECode published Interpreting the BSIMM: A SAFECode Perspective on Leveraging Descriptive Software Security Initiatives. The goal of the paper is to provide SAFECode’s perspectives on the BSIMM and address the questions that we often get about how our guidance relates to the data released through the BSIMM effort. It expands on my recent blog post that discussed the differences between descriptive and prescriptive software security guidance.
While I encourage you to read the paper, and won’t attempt to summarize it here, I will highlight a few key points we think are worth remembering when you review the BSIMM data.
First, the BSIMM covers much more than secure engineering practices, and in many ways is weighted toward operational security and compliance activities. This is a point often lost in conversations around the BSIMM data and something worth strongly considering if you plan to use the data to review your software security efforts. In fact, a strict adoption of the practices that the BSIMM reports as most prevalent would not address what SAFECode considers the root cause of the problem: poor secure coding practices. Thus, while many SAFECode members participate in and support the BSIMM, none of them uses it as an arbiter of proper secure development practice.
Another point not often discussed is that being a “snapshot in time” of current observed practices, the BSIMM will not capture emerging practices in software security. Thus, those looking to use the BSIMM should consider supplementing its data with more prescriptive guidance, which tends to highlight these trends and put more emphasis on such shifts. The BSIMM will eventually capture these changes, but recognition of such changes can only be achieved using historical data.
For more details on these issues and additional SAFECode observations, I encourage you to read the short paper. I’d also like to emphasize that while SAFECode thought it was important and appropriate to provide its perspective on the BSIMM as part of its ongoing efforts to provide software security guidance to technology providers, our goal is not to minimize its value or significance.
In fact, the BSIMM provides real value when interpreted correctly. It is perhaps the only source of real-world, quantitative data on the software security programs across a broad range of organizations. The BSIMM provides the software security practitioner with a non-judgmental lens into a broad spectrum of security activities whose scope extends beyond secure software development.
And, while there are some important differences between the guidance SAFECode provides and the BSIMM initiative, we are all working toward a common goal – to improve the state of software security. And that is something we should all support.