Word Notes 3.1.22
Ep 89 | 3.1.22

BSIMM (noun)


Rick Howard: The word is: BSIMM. 

Rick Howard: Spelled: B for building, S for security, I for in, M for maturity, and M for model.  

Rick Howard: Definition: A descriptive model that provides a baseline of observed software security initiatives and activities from a collection of volunteer software development shops.  

Rick Howard: Example sentence: The BSIMM is primarily a measuring stick for software security used by developers to compare and contrast their own initiative with the data about what other organizations are doing.  

Rick Howard: Origin and context: Dr. Gary McGraw is one of the early security thought leader founding fathers probably on the same important level as Bruce Schneier, Marcus Ranum and Jeff Moss. His niche area of expertise is software security, and he has written at least a dozen books on the subject from 1996 to 2008. In March of 2008, while working as the CTO of Cigital, a software security firm, he embarked on a scientific data collection project that eventually led to version one of the Building Security In Maturity Model, or BSIMM.  

Rick Howard: The model is a descriptive model as opposed to a prescriptive model like SAMM, the Software Assurance Maturity Model. SAMM tells you what organizations should be doing in terms of software security. BSIMM tells you what organizations are actually doing. In version one, McGraw and his Cigital team surveyed some 30+ companies and simply collated initiatives and activities around software security.  

Rick Howard: The initial model offered no judgments. The idea was to collect what the community was doing. For the first time, this model started to nudge the community into a common vocabulary. By 2014, Synopsys, another consulting firm, acquired Cigital but still released a new BSIMM report every year.  

Rick Howard: In the 2021 report, the BSIMM version 12 project surveyed some 128 organizations and collected data on 324 primary measurements from almost 4,000 developers and 153,000 applications. From the report, the top three activities observed were number one, implementing life cycle instrumentation and use to define governance. Number two, ensure host and network security basics are in place. And finally, number three, identify PII obligations. And the report does identify the use of a software bill of materials, or SBOM, by many of the 128 participating organizations.  

Rick Howard: Nerd reference: At the OWASP App Security USA conference in 2014, Gary describes what the BSIMM is for: 

Dr. Gary McGraw: The idea was, we're going to go gather data, and we're going to take the data, and then, we're going to look at the data, and then, we're going to build a model to describe the data. 

Dr. Gary McGraw: I just said, data, data, data, data, data, right? Real data. Take it all. Build model.  

Dr. Gary McGraw: Now this is weird because computer science, the way we usually do it is, well, I have a pet theory, so I'm going to build a big old system. And then I'm going to try to justify it with a little bit of data. But in most sciences, it works the other way around. 

Dr. Gary McGraw: I got a big pile of data. Now I'm gonna try to model that data. That's what the BSIMM was about. 

Rick Howard: Word Notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.