Information Security Governance Papers

Paper Title The Building Security In Maturity Model
The Abstract of The Paper The Building Security In Maturity Model (BSIMM) described on this website is designed to help you understand and plan a software security initiative. BSIMM was created through a process of understanding and analyzing real-world data from nine leading software security initiatives. Though particular methodologies differ (think OWASP CLASP, Microsoft SDL, or the Cigital Touchpoints), many initiatives share common ground. This common ground is captured and described in BSIMM. As an organizing feature, we introduce and use a Software Security Framework (SSF), which provides a conceptual scaffolding for BSIMM. Properly used, BSIMM can help you determine where your organization stands with respect to real-world software security initiatives and what steps can be taken to make your approach more effective. BSIMM is not a complete ""how to"" guide for software security, nor is it a one size fits all model. Instead, BSIMM is a collection of good ideas and activities that are in use today. For a concise description of the BSIMM, read the informIT article Software [In]security: The Building Security In Maturity Model (BSIMM), Confessions of a Software Security Alchemist. Software security is the result of many activities. People, process, and automation are all required. The SSF and BSIMM together allow us to discuss the myriad activities without becoming mired in details. To that end, we believe a simple approach that gets to the heart of the matter trumps an exhaustive approach with a Byzantine result. A maturity model is appropriate because improving software security almost always means changing the way an organization works—something that doesn't happen overnight. BSIMM provides a way to assess the state of an organization, prioritize changes, and demonstrate progress. We understand that not all organizations need to achieve the same security goals, but we believe all organizations can be measured with the same yardstick.
Web Link http://www.bsi-mm.com/

Back To Information Security Governance Papers List

Database Sections