Dennis Fisher talks with Gary McGraw, CTO of Cigital, about the BSIMM security model, the maturation of software security and whether our universities are turning out critical thinkers.
Dennis Fisher talks with Gary McGraw, CTO of Cigital, about the BSIMM security model, the maturation of software security and whether our universities are turning out critical thinkers.
*Podcast audio courtesy of Where’s Aubrey
Subscribe to the Digital Underground podcast on
Chris Eng with Veracode talks about how organizations are falling into security debt due to patch management issues.
From supply chain to orchestration tools, here are the new trends that DevOps should pay attention to in this year’s BSIMM report.
Threatpost editors discuss the highlights and biggest breaking news from this past week.
gem on
Dear chicken-poop anonymous poster,
We did the BSIMM for science. Here is a URL:
http://www.informit.com/articles/article.aspx?p=1562220
Capitalism is good.
gem
Rob Lewis on
GEM,
After short-term improvements in coding practices, do you see other possible long-term eventual outcomes for this study ie. turn-key bundled options for software development, a ranking system for vendors or a seal of approval?
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
Yagotta B. Kidding on
Interesting podcast... However, as I read all the hype around BSIMM, I never hear anyone ask about the motivations for doing this work.
As far as I know, both Cigital and Fortify are "for profit" enterprises and the last time I checked, the economy is still moribund. So, in a down economy, husbanding discretionary resources (such as travel budgets) seems prudent.
In light of those facts, a wide-scale data gathering exercise motivated by either altruism or science seems about as plausible as "standing room only" at a Windows 7 neighborhood launch party.
By Gary's own admission, a lot of time has been spent traveling to large companies in the US and Europe to assess their security practices. Gary also noted that none of the companies interviewed thus far are small or medium size companies - you know, the kind that don't have budgets to hire external security consultants.
It appears to this casual observer that BSIMM is being used as a protection racket - to scare enterprises into consulting engagements by pointing out "deficiencies" relative to the rest of the BSIMM data set. It has an interesting self-perpetuating aspect as well; as more data is gathered by companies participating in the BSIMM process, the farther "outside the norm" a target enterprise is shown to be.
How does a concerned enterprise get a higher BSIMM score? Seems obvious.