Measuring Software Security

Gary McGraw and the Building Security in Measurement Model (BSIMM) team just released BSIMM2 today. If you haven’t heard of BSIMM before, please take a look at the article I wrote about it over at eSecurity Planet. An excerpt is below.

“You are not a special snowflake.”

This is how Dr. Gary McGraw, author of Software Security: Building Security In, Exploiting Online Games: Cheating Massively Distributed Systems, and CTO of the software security company Cigital distills the findings from his Building Security In Maturity Model (BSIMM) and recently launched BSIMM2 projects. Quick translation: the measurement of whether or not the software meets quantifiable security levels is applicable to all software, regardless of what unique vertical, industry, or purpose it was written for. Although each firm’s process is unique, the measurement of a software security initiative is not.

Measurements are what we use to determine how well we’re doing and gauge improvement (or decline) over time. Measurements are particularly helpful when assessing the relative effectiveness of different methods.

For the rest of the article, please click over here.