Upload File

5 lessons learned from the bsimm

1
1. BSIMM 6 Eye-Opening Lessons 5 Learned From The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is a study of real-world software security initiatives. Quantifying the practices carried out by real software security initiatives helps security teams to plan, carry out, and measure initiatives of their own. After reviewing the software security initiatives (SSI) of over 100 companies, we’ve uncovered several undeniable trends and truths. Here are the top 5 things you should keep in mind as you build or tweak your program. 2. 3. 4. 5. There are no special snowflakes. When it comes to deciding which activities will make your software secure, the 112 security activities described in BSIMM fit every organization regardless of their industry. What works to keep financial services firms secure will work for retailers, manufacturers, and you. Your firm’s risk drivers are unique. While the BSIMM defines what firms are doing to make software secure, the risk drivers in any given firm will result in unique prioritization, scale, implementation, depth, breadth, and other characteristics for the activities implemented. Doing this well is a foundational necessity for ongoing cost-effectiveness and success. Your software security team can’t do everything. Unless your firm is very small, there isn’t a single group within the organization that touches every tool, system, configuration, or entry point. Provide everyone with awareness training and recruit other people or teams to help you secure the nooks and crannies of your organization. Software security is more than penetration testing. Just like a tool can't solve the software security problem by itself, neither can penetration testing. The BSIMM highlights 12 core activities every strong SSI does and 100 more that should be considered. Learn what they are at www.BSIMM.com. By providing actual measurement data from the field, the BSIMM makes it possible to build a long-term plan for a software security initiative and track progress against that plan. Learn how you can become a part of the BSIMM community. Visit www.BSIMM.com Security still needs people. While you can buy any number of tools that go ‘ding in the night’ when vulnerabilities are discovered, someone has to be there to read the results, prioritize findings, and fix the issues. Good people, not tools, make the difference.

Upload: cigital

Post on 13-Apr-2017

171 views

Category:

Software


1 download

Report

TRANSCRIPT

Page 1: 5 Lessons Learned from the BSIMM

1.

BSIMM 6Eye-OpeningLessons5 Learned

From

The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is a study of real-world software security initiatives. Quantifying the practices carriedout by real software security initiatives helps security teams to plan, carry out, and measure initiatives of their own.

After reviewing the software security initiatives (SSI) of over 100 companies, we’ve uncovered several undeniable trends and truths. Here are the top 5 thingsyou should keep in mind as you build or tweak your program.

2.

3.

4.

5.

There are no special snowflakes.When it comes to deciding which activities will make your software secure, the 112 security activities described inBSIMM fit every organization regardless of their industry. What works to keep financial services firms secure willwork for retailers, manufacturers, and you.

Your firm’s risk drivers are unique.While the BSIMM defines what firms are doing to make software secure, the risk drivers in any given firm willresult in unique prioritization, scale, implementation, depth, breadth, and other characteristics for the activitiesimplemented. Doing this well is a foundational necessity for ongoing cost-effectiveness and success.

Your software security team can’t do everything.Unless your firm is very small, there isn’t a single group within the organization that touches every tool, system,configuration, or entry point. Provide everyone with awareness training and recruit other people or teams to helpyou secure the nooks and crannies of your organization.

Software security is more than penetration testing.Just like a tool can't solve the software security problem by itself, neither can penetration testing. The BSIMMhighlights 12 core activities every strong SSI does and 100 more that should be considered. Learn what theyare at www.BSIMM.com.

By providing actual measurement data from the field, the BSIMM makes it possible to build a long-term plan for a software security initiative andtrack progress against that plan.

Learn how you can become a part of the BSIMM community. Visit www.BSIMM.com

Security still needs people.While you can buy any number of tools that go ‘ding in the night’ when vulnerabilities are discovered, someonehas to be there to read the results, prioritize findings, and fix the issues. Good people, not tools, make the difference.

Lessons Learned from “Lessons Learned” · 2 LESSONS LEARNED FROM “LESSONS LEARNED” 2. The NRC set safety goals in its Safety Goal Policy Statement, initiated not long after

Lessons learneD

7 Lessons Learned From BSIMM

Lessons learned & not learned at MSU

Lessons Learned Remote PM+ Cohort Integrated K+S · Lessons Learned Below are key lessons learned on providing Remote PM+ Training of Helpers. These lessons learned are based off

ASSESSMENT & LESSONS LEARNED FROM AFRICAN DIASPORA MARKETPLACEpdf.usaid.gov/pdf_docs/PDACT256.pdf · ASSESSMENT & LESSONS LEARNED FROM AFRICAN ... ASSESSMENT & LESSONS LEARNED FROM

Lessons Learned and Lessons to Be Learned: Investment Law & … · 2014. 4. 30. · 1 Lessons Learned and Lessons to Be Learned: Investment Law & Development for Developed Countries

Lessons Learned:

Lessons Learned Handbook · 2011-10-12 · • Lessons Learned, an adjective, describes anything related to a Lessons Learned procedure. E.g. Lessons Learned process, Lessons Learned

5 Eye-Opening Lessons Learned From BSIMM - Synopsys · 2020. 7. 30. · Title: 5 Eye-Opening Lessons Learned From BSIMM Author: Cigital Subject: 5 Eye-Opening Lessons Learned From

Lessons Learned from Failures Dec 2014 - MTS Houston · 212 on board, 123 perished, 89 survivors ... Lessons Learned Lessons Learned. ... Lessons Learned from Failures Dec 2014.pptx

Lessons learned from accident investigation Seminar/IHS - Day 2... · LESSONS LEARNED FROM OTHERS LESSONS LEARNED FROM UAE ... Lessons Learned . ... Dealing with survivors and bereaved

Lessons Learned Events at SLAC · 2012-09-14 · Lessons Learned Events: Summary Comments . Important to identify and communicate lessons learned! Lessons learned and near misses

Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw

LESSONS LEARNED AND GOOD PRACTICES...Lessons Learned Lessons are learned for sharing and applying to similar projects. Project lessons are learned from experiences, both inspiring

Lessons Learned

Lessons Learned Globally - Campaign for Tobacco-Free Kids...Process lessons learned 2. Content lessons learned See next page for lists of these lessons learned. 7 | Lessons Learned

LEARNED LESSONS:

Lean lessons learned - lean startup methodology and lessons learned from Blossom