BSIMM is a software security measurement framework established to help organisations compare their software security to other organisations initiatives and find out where they stand.
Introduction to ArtificiaI Intelligence in Higher Education
Hack2Secure Assists Organization in Secure Application Development Through BSIMM-7 Framework
1. BSIMM-7 Software Security Framework
● BSIMM is a software security measurement framework established to help
organizations compare their software security to other organizations initiatives
and find out where they stand.
● The Building Security In Maturity Model is a study of existing software security
initiatives.
● By quantifying the practices of many different organizations, we can describe the
common ground shared by many as well as the variation that makes each unique.
● The model is based on the study done on organizations across the industries like
financial service sectors, Healthcare sectors, Software sectors, cloud providers
and more.
2. How Does BSIMM7 Work??
● The model is based on observational science around software security.
● Over the years of research and findings, it provides a common measuring
stick with using 113 activities for organizations.
● These activities are broken into 12 practices organized into 4 Domains viz.
Governance, Intelligence, SSDL Touch points and Deployment.
● BSIMM7 Software Security Framework (SSF) and activity description
provides a common mechanism to explain elements of Software security
initiatives, thus enabling organizations to uniformly compare their maturity
model accordingly.
● BSIMM7 is the 7th major version of BSIMM model.
3. Advantages of Adopting BSIMM7 Framework
Enables organizations to start a Software Security Initiative.
● Enables Organizations to start a Software Security Initiative.
● Provide standard measuring criteria to measure and comparing SSI within
domain or industry.
● Helps organizations to learn from other’s mistakes. So that they don’t repeat
the same.
● It helps the members of The BSIMM community by bringing together people
from companies who've measured and they can compare notes and
realize that often they have the same problems.
4. ● It gives you the clarity on what is the right thing to do.
● This model will helps industries and business units, measure the current state
of their software security initiative, identify gaps, prioritize change, by
applying scientific principles.
● It helps in Cost reduction through standard, repeatable processes.
● It will help them to plan, execute and measure initiate of their own without
having on board any third party for the same.
5.
6. ● Governance:
These are practices assisting companies to organise, manage and measure a
Software Security Initiatives.
● Strategy & Metrics(SM):
It ensures Security Process planning and publication assisting in defining
software security goals and required measurement metrics.
● Compliance & Policy(CP):-
Compliance and Policy practice has focus on regulatory or compliance
drivers such as PCI DSS and HIP PA.
7. ● Intelligence:
These are practices results in collection and identification of corporate
intelligence related with SSI.
● Attack Models (AM):
In this practice developer think like an attacker and create knowledge of
technology specific attack patterns.
● Security Features & Design (SFD):
This practice provides guidance of building, reviewing and publication of
proactive security features.
8. ● Standards & Requirements (SR):
This practice explains the standard explicit security requirements for the
organizations.
● SSDL Touchpoints:
It talks about essential security best practices required in Software
development phases (SDLC).
● Architecture Analysis (AA):
Primary goal of this practice is to build the quality control, by performing
security feature and design review process for high-risk applications.
9. ● Code Review (CR):
This practices includes activities related with Secure Code implementation
and review process.
● Security Testing (ST):
It deals with activities related different Security Testing methods like Black-
box, Fuzzing, Automation, Risk driven White Box Analysis etc.
● Deployment:-
This domain includes practices that deals with network security and software
maintenance requirements.
10. ● Penetration Testing (PT):
It involves the activities related with vulnerability discovery and correction of
security defects, on to the software that has moved to deployment.
● Software Environment (SE):
Practice includes activities related with Secure Software Deployment and
maintenance.
● Configuration Management & Vulnerability Management (CMVM):
The goal of this practice is track activities related with patching, version
control and change management.