Upload File

7 lessons learned from bsimm

1
How High can you soar? Seven years of data gathered from 100+ initiatives provide a bird’s eye view of software security. You can apply lessons from the Building Software Security in Maturity Model (BSIMM) to your business regardless of your industry, your size, or the mix of your applications. 7 U n d e n i a b l e T r u t h s t o M a k e B e tt e r S o f t w a r e S e c u r i t y Don’t just drift in the wind To navigate to your final destination you must know your launch point and accurately assess the conditions. BSIMM can’t guarantee a smooth ride but it can make it easer to ascend the maturity curve, even when the wind is blowing. While these truths are universal, they scratch the surface of what BSIMM can reveal. A BSIMM Assessment compares your software security initiative against your peers, so you can identify strengths, uncover gaps, and determine strategies that fit your own organization. Security initiatives commonly start with straightforward activities, such as a security feature review, before they take on those that require more coordination, such as creating customized rule sets. You can use BSIMM to assess your level of maturity. 1. GAIN ALTITUDE IN STAGES 2. MOVE AT YOUR OWN SPEED BSIMM shows that the rate of acceleration along the maturity curve is not the same for every organization, or even every industry. You must launch and navigate your security journey based on your own risk drivers, budget and priorities. 3. A PILOT IS ESSENTIAL No organization can have a successful software security initiative without leadership. BSIMM shows that mature initiatives are typically led by a senior executive and managed by a Software Security Group that establishes governance, policy, and standards. 4. THE RIGHT CREW IS KEY BSIMM shows that many organizations rely on security testing tools, but mature organizations know tools alone are not enough to reduce risk. It takes experts to interpret results, prioritize findings and fix issues. 5. BROAD SUPPORT EASES THE RIDE BSIMM shows that mature initiatives have support from people in functions other than the security team, such as developers, architects, and product owners. You must develop a “satellite” crew to raise awareness and ensure security policies are carried out. 6. CONDITIONS WILL CHANGE Years of BSIMM data show that organizations change their mix of security strategies, adding new activities and replacing others, as they navigate. It’s essential to stay up to date and regularly evaluate your own tactics. 7. CHART YOUR OWN COURSE BSIMM shows that while companies begin their journey with common practices, as they ascend they pick and choose among 112 security activities to reduce risk. After you see how you compare, you can use BSIMM to make decisions that fit your company. FIRE THE BURNERS WHAT CAN YOU LEARN FROM A BSIMM ASSESSMENT? FIND OUT NOW www.synopsys.com

Upload: cigital

Post on 13-Apr-2017

28 views

Category:

Software


0 download

Report

TRANSCRIPT

Page 1: 7 Lessons Learned From BSIMM

How Highcan you soar?

Seven years of data gathered from 100+ initiatives provide a bird’s eye view of software security. You can apply lessons from the Building Software Security in Maturity Model (BSIMM) to your business

regardless of your industry, your size, or the mix of your applications.

7 Undeniable Truths to Make Better Software Security

Don’t just drift in the windTo navigate to your final destination you must know your launch point and accurately assess the conditions. BSIMM can’t guarantee a smooth ride but it can make it easer to ascend the maturity curve, even when the wind is blowing.

While these truths are universal, they scratch the surface of what BSIMM can reveal. A BSIMM Assessment compares your software security initiative against your peers, so you can identify strengths, uncover gaps, and determine strategies that fit your own organization.

Security initiatives commonly start with straightforward activities, such as a security feature review, before they take on those that require more coordination, such as creating customized rule sets. You can use

BSIMM to assess your level of maturity.

1. GAIN ALTITUDE IN STAGES

2. MOVE AT YOUR OWN SPEEDBSIMM shows that the rate of acceleration along the maturity curve is not the same for every organization, or even every industry. You must launch and navigate your security journey based on your own risk drivers,

budget and priorities.

3. A PILOT IS ESSENTIALNo organization can have a successful software security initiative without leadership. BSIMM shows that mature initiatives are typically led by a senior executive and managed by a Software Security Group that

establishes governance, policy, and standards.

4. THE RIGHT CREW IS KEYBSIMM shows that many organizations rely on security testing tools, but mature organizations know tools

alone are not enough to reduce risk. It takes experts to interpret results, prioritize findings and fix issues.

5. BROAD SUPPORT EASES THE RIDEBSIMM shows that mature initiatives have support from people in functions other than the security team, such as developers, architects, and product owners. You must develop a “satellite” crew to raise awareness

and ensure security policies are carried out.

6. CONDITIONS WILL CHANGEYears of BSIMM data show that organizations change their mix of security strategies, adding new activities and replacing others, as they navigate. It’s essential to stay up to date and regularly evaluate your own

tactics.

7. CHART YOUR OWN COURSEBSIMM shows that while companies begin their journey with common practices, as they ascend they pick and choose among 112 security activities to reduce risk. After you see how you compare, you can use

BSIMM to make decisions that fit your company.

FIRE THE BURNERSWHAT CAN YOU LEARN FROM A BSIMM ASSESSMENT?

FIND OUT NOWwww.synopsys.com

Lessons learned from accident investigation Seminar/IHS - Day 2... · LESSONS LEARNED FROM OTHERS LESSONS LEARNED FROM UAE ... Lessons Learned . ... Dealing with survivors and bereaved

Lessons Learned from Failures Dec 2014 - MTS Houston · 212 on board, 123 perished, 89 survivors ... Lessons Learned Lessons Learned. ... Lessons Learned from Failures Dec 2014.pptx

Lessons Learned from “Lessons Learned” · 2 LESSONS LEARNED FROM “LESSONS LEARNED” 2. The NRC set safety goals in its Safety Goal Policy Statement, initiated not long after

Lessons Learned

5 Lessons Learned from the BSIMM

Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw

5 Eye-Opening Lessons Learned From BSIMM - Synopsys · 2020. 7. 30. · Title: 5 Eye-Opening Lessons Learned From BSIMM Author: Cigital Subject: 5 Eye-Opening Lessons Learned From

Lessons Learned Handbook · 2011-10-12 · • Lessons Learned, an adjective, describes anything related to a Lessons Learned procedure. E.g. Lessons Learned process, Lessons Learned

Lessons Learned and Lessons to Be Learned: Investment Law & … · 2014. 4. 30. · 1 Lessons Learned and Lessons to Be Learned: Investment Law & Development for Developed Countries

Lessons learned & not learned at MSU

Lessons Learned Globally - Campaign for Tobacco-Free Kids...Process lessons learned 2. Content lessons learned See next page for lists of these lessons learned. 7 | Lessons Learned

LEARNED LESSONS:

LESSONS LEARNED AND GOOD PRACTICES...Lessons Learned Lessons are learned for sharing and applying to similar projects. Project lessons are learned from experiences, both inspiring

Lessons Learned Events at SLAC · 2012-09-14 · Lessons Learned Events: Summary Comments . Important to identify and communicate lessons learned! Lessons learned and near misses

Lessons learneD

Lean lessons learned - lean startup methodology and lessons learned from Blossom

Lessons Learned:

Lessons Learned Remote PM+ Cohort Integrated K+S · Lessons Learned Below are key lessons learned on providing Remote PM+ Training of Helpers. These lessons learned are based off

ASSESSMENT & LESSONS LEARNED FROM AFRICAN DIASPORA MARKETPLACEpdf.usaid.gov/pdf_docs/PDACT256.pdf · ASSESSMENT & LESSONS LEARNED FROM AFRICAN ... ASSESSMENT & LESSONS LEARNED FROM