Introduced in 2008 as a measuring stick for software security, BSIMM includes 113 activities organizations can implement to improve software security. By tallying the number of activities it has implemented, a company participating in BSIMM can compare and contrast its security position with peers that also use this model.
Deeper problems remain
Nevertheless, BSIMM has its limitations—and its critics.
West acknowledged that BSIMM does not directly measure the importance a firm places on software security. However, it does show growth in investment and interest in security among a wide variety of companies.
“The overall increase in maturity of firms shows continued and growing investment,” he explained, “and the growth of BSIMM membership in new verticals—cloud software, insurance, healthcare, and most recently Internet of Things (IoT)—shows that software security is becoming an important focus for firms outside the traditional areas of financial services and software.”
Organizations have performed so poorly in securing software applications that anything to raise awareness of the problem will help, but more than a framework is needed to address the core problem, said John Matthew Holt, CTO and founder of Waratek, an application monitoring and security company.
“You’re not going to get there from box-ticking in some framework. It’s not going to make security a core competency. It’s going to give you some value, but something else has to set in to take things to the next level.”
—John Matthew Holt