Skip to content

Commit b557c7f

Browse files
D3OneD3One
authored
Create BSIMM.md
1 parent 9aac7aa commit b557c7f

1 file changed

Lines changed: 13 additions & 0 deletions

File tree

SecChamp/BSIMM.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
2+
<img width="1536" height="706" alt="image" src="https://github.com/user-attachments/assets/443f820c-4127-4f98-9032-f94a4f9561e7" />
3+
4+
Application Security Program
5+
The problem of a systematic approach to security has been solved quite some time ago. Microsoft has introduced the first security assurance program in 2004. Named Microsoft Security Development Lifecycle (MSDL), it was Microsoft’s response to reduce software maintenance costs and increase reliability of software concerning software security related bugs. Since then a number of security assurance initiatives have been launched, such as OpenSAMM, BSIMM, SAMM, SSE CMM, SafeCode, NIST SSDF, etc. Unfortunately, up till now, most of them never really got any grip in the community. The main reasons are that they are not simple and challenging to introduce to large organizations. Small organizations have a lower risk exposure and the management typically isn’t really aware of the problem until it’s too late.
6+
7+
Here is the really good and bad news (depending where you are coming from). More regulatory pressure is on its way to mandate the use of an application security program for organizations. Memorandum M-22-18 mandates all US Federal agency suppliers to conform to NIST SSDF. The Cyber Resilience Act in Europe will be enforced in 2026 for all products with digital elements requiring a systematic approach to security. Furthermore, leading security-minded organizations are starting to set the bar higher for the rest.
8+
9+
Building Security In Maturity Model (BSIMM)
10+
BSIMM is a maturity model that helps organizations plan, implement and measure their software security assurance program. BSIMM consists of 4 domains split in 12 practices and containing a total of 125 security activities. So think of pen testing, patching, monitoring tools and threat modeling as some of these 125 activities you could (but not always should) do in your application security program. Here is a structural overview of the BSIMM13 domains and practices.
11+
12+
13+
BSIMM is not only the framework, but is also a measuring stick in the industry. BSIMM comes with an objective assessment of the different activities in 130 organizations from 8 industry verticals (financial services, independent software vendors, technology, healthcare, cloud, Internet of Things, insurance, and retail).

0 commit comments

Comments
 (0)