This week, Gary McGraw and his team released the third version of the Building Security In Maturity Model (BSIMM3). On behalf of SAFECode, I’d like to congratulate the entire team on another successful release of what has become a great resource for the security community.
With the BSIMM’s third release, comes another wave of questions regarding SAFECode and the BSIMM and how the two efforts fit together. In fact, I have gotten enough questions about this that SAFECode will take a closer look at the BSIMM in a longer form document we hope to release later this fall.
In the meantime, though, I’ll try to answer the basic question on the differences between the BSIMM and SAFECode. It is more than just the number of firms who participate; rather, it is the difference between descriptive and prescriptive guidance on improving software security.
The BSIMM is about collecting data that describes the things firms across a broad set of verticals do today. It does not – and this is important – describe what they should do. As a descriptive model, it doesn’t make judgments. The BSIMM won’t tell you what to do or how to do it, and it doesn’t weigh which practices are more effective in some verticals or which practices might be more effective in others. Its authors’ intention is to observe and report on the frequency of use of particular security practices within a set of IT organizations – and thus allow the reader to form their own conclusions about what constitutes effective security development practice.
SAFECode is supportive of the BSIMM work and we are pleased with the success of its third release. In fact, nearly all of our members have joined in the effort because we all share a common goal – to improve software security. But, at SAFECode, we are taking a different path to that goal.
SAFECode members represent one vertical. It is composed of commercial software providers and our recommendations and efforts speak from that perspective. It is SAFECode’s belief that large commercial software providers have a unique set of software security requirements, and thus, our efforts focus on the needs of these organizations and their customers.
Perhaps more important, SAFECode has chosen a prescriptive approach that emphasizes the use of security practices and techniques that have proven to be effective at each of the SAFECode member organizations. It makes deliberate value judgments regarding security practices and prioritizes those that were recognized by SAFECode experts as having the most impact – regardless of organizational size, resource pools or computing platform. In this spirit, it is important to note that SAFECode is primarily focused on engineering best practices.
While the BSIMM’s open ended “here’s what everybody else is doing” approach may help organizations identify blank spots in their development security landscape, or assist them in picking activities, SAFECode offers detailed advice for developers on recommended practices for design, coding and testing. This is an important distinction that we’ll dive into further in our upcoming paper.
In sum, SAFECode’s commercial software-focused, prescriptive approach offers software security practitioners a blueprint for secure engineering best practices based on what we judge to be most effective as a result of our collective, real-world experiences. The BSIMM’s descriptive approach provides the software security practitioner with a non-judgmental lens into software security activities across a broad spectrum of organizations.
Strong industry collaboration can only have a positive impact on the state of software security. The two approaches, either in concert or independently, can be used by any organization to review and improve their software security program. Further, when viewed together, we believe SAFECode and the BSIMM are a powerful combination in the broader industry effort to advance software security. Thus, we encourage you to take a look at the new data the BSIMM3 offers.