Last fall, I spent a half-day discussing the SDL with Gary McGraw and Sammy Migues of Cigital, and Brian Chess of Fortify. The three of them were on a whirlwind tour of software security teams across the IT industry with the objective of building an industry picture of best practices in secure development. In our meeting, we went through details of what we do and don’t require as part of the SDL, and why we’ve made the decisions we have. We went into a fair degree of depth and, because these are really good security folks, the meeting was a lot of fun.
The payoff from Gary’s, Sammy’s, and Brian’s work is the Building Security In Maturity Model (BSIMM) that was released to the web late last week. The model enumerates best practices in building software that’s resistant to attack, as applied by nine real-world software development organizations.
I’ve historically not been a fan of “maturity models” because many of them are so abstract and paper-oriented that you can rate “high” on the maturity model and still fail at whatever attribute of your products and processes (quality, timeliness, security) the model purports to measure. In contrast, I like the BSIMM because
· It’s specific. The measures in the BSIMM are things that an development organization actually does to produce secure software.
· It’s real-world. Gary, Sammy, and Brian made a rule that no activity would be included in the BSIMM unless at least one of the organizations they interviewed actually performed that activity.
On reviewing the BSIMM as finally released, I was also gratified to see that Microsoft fares extremely well as measured against the BSIMM – we conduct virtually all of the activities defined by the BSIMM. Approximately three quarters of the BSIMM activities are covered by the SDL, and most of the rest are covered by other internal Microsoft security and privacy policies that are not parts of a software vendor’s development process.
One question we’ve discussed in reviewing the BSIMM is how it relates to the SDL Optimization Model. We think of it this way: the BSIMM tells you that the SDL is an industry-leading process for developing secure software. The Optimization Model provides your organization with specific guidance on getting started in secure development – telling you how to make progress in improving your organization’s development practices and getting to a point of high maturity as measured by the BSIMM.