LSEC - Leaders in Security

Building Security In Maturity Model (BSIMM)

23-Feb-2010

The LEUVEN Center on Information and Communication Technology (LICT)
Event
Title: The Building Security In Maturity Model (BSIMM) by GARY MCGRAW [Reg]
When: 23.02.2010 18.00 h - 19.30 h
Category: Distinguished Lecture Program Description
Abstract:

Software security has made great progress over the last decade. There are now at least 58 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. Brian Chess, Sammy Migues and Gary McGraw interviewed the executives running nine firms’ initiatives including: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The resulting data, drawn from real application security programs at different levels of maturity was used to guide the construction of the Building Security In Maturity Model (BSIMM, http://bsi-mm.com/). Since the introduction of the BSIMM, the size of the study has been tripled to include data from 31 firms.
This talk will describe the observation-based maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether one relies on the Cigital Touchpoints, Microsoft’s SDL, OWASP CLASP, or ones own methodology there is much to learn from practical experience. BSIMM can be used as a yardstick to determine where one stands and what kind of software security strategy will work best in a specific case.

Bio of speaker:

Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Java Security, Building Secure Software, Exploiting Software, Software Security, and Exploiting Online Games; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean’s Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors, produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT), and produces the Reality Check Security Podcast for CSO Online.

Organisation:

This lecture is jointly organised by LICT, LSEC and secappdev.org.

Registration:

Participation is free of charge, but advance registration is required by February 15.

Sandwiches will be provided.