Steve Lipner here.
As many of you already know, Microsoft was one of the original nine companies that participated in the first iteration of the Building Security In Maturity Model (BSIMM). For those of you unfamiliar with BSIMM, it describes common software security practices across the participating companies – or as the authors describe it; “…a collection of good ideas and activities that are in use today.” BSIMM allows you to determine which software security practices are most widely used across the sample set of development organizations.
The first BSIMM report was released in early 2009, and provided some great insights on security policies and practices currently in use. With today’s announcement, BSIMM has been expanded to include more companies, in more industries, across a wider geographical area.
I’m happy to have been asked to participate on the newly established BSIMM Advisory Board – to help guide the theory and practice of BSIMM, and to ensure that the data gathered has practical application for the security community at large.
I’d encourage you to take a look at the BSIMM – and compare your practices to the ones outlined in the BSIMM report. You might be surprised at the results!