BSIMM community preview

What is BSIMM?
The Building Security In Maturity Model is a study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time.

Chart of BSIMM benefits

How do you get access to the BSIMM community?
Firms that have completed a BSIMM assessment would have access to the members only BSIMM community web site. As a member you would:

  • Receive regular blogs (see below for examples of our original content) and discussion posts that show best practices, tips and case studies.
  • Bounce ideas and questions off of the 700-member community.
  • Attend exclusive conferences.

How do I get a BSIMM assessment done?

Check out these informational links:


    BSIMM12 report

    Learn the latest emerging trends that the BSIMM members are undertaking. This year we created an abridged version called "Trends and Insights" to provide you with the quick-hit points as well as the usual longer, more indepth report we named "Foundations." Download both to learn the new activities within appsec.

    Featured story

    AppSec training: What works and what doesn't

    Application Security training

    Application security training should be a no-brainer for developers—they’re the professionals that write and code applications. But although companies are increasingly investing in application security tools and testing, developer training is often overlooked.

    Understanding security at the start of building an app can mean the difference between software that’s developed without frustrating bugs and vulnerabilities, and apps that have to be sent back for work because the security team deems them unsecure. Developers who understand security in AppSec are a win-win for everyone.

    What are some best practices for AppSec training for developers? Read on to get a rundown of what works and what doesn’t.

    What works

    Train a champion first. If you want to launch a successful AppSec training program, start by training an internal security champion.

    “We find a champions program is very effective for training,” said Drew Thompson, instructor-led training practice director at Synopsys. “It gives champions ownership of the security process and gives their development team a single point of contact for security-related concerns and a direct line of communication to the security group.”

    How do you find someone to serve as a champion among your developers? Look for developers who express an interest in expanding their security knowledge.

    “We want to steep champions and developers in security over time,” Thompson said. “A training plane will build on the previous courses. An example may be to start with an introduction to software security. Then move into a course on the OWASP Top 10. Then, to expose developers to the offensive side of software security, we would have them take a course like attacking web applications. Offensive courses give developers some experience doing the hacking themselves. Early training makes security real for them. Software vulnerabilities are often not something they have directly interacted with before, and this helps it hit home.”

    Build customized courses. Thompson also recommended customizing material for the problems developers might face.

    “If the training content is relevant to the development team, it’s more effective,” he said. “It’s not just some words on a page or an industry best practice. They will be learning about vulnerabilities and remediation that they have found to exist in their software. Then when the course moves into the lab environments, the students can imagine the lab results in the context of their own software.”

    You should also customize curriculum based on skilled level. Training for learners just starting will be different than for an experienced developer who wants to obtain more-advanced skills. 

    Make training role-based. Effective training is tailored to specific roles, according to Brendan Sheairs, managing consultant with the Synopsys Software Integrity Group.

    “Role-based training is important,” he said. “When the security training is applicable to their job, it makes it easier to help them understand why these security issues relate to their role.”

    Get hands-on. Sheairs also advocates for hands-on training.

    “Training where they can do a lab or exercise reinforces the lesson. Through these activities they gain an intimate knowledge of the concept. It’s more engaging. We all went through labs in college. These concepts are easier to understand when you have a tactile touch with them,” Sheairs said.

    Offer incentives. Give developers who complete training or accomplish certain criteria rewards for their work. It could be a gift card, a free meal, or other fun items that acknowledge the time spent learning AppSec.

    “Sometimes it’s as simple as stickers for their laptop that reveal a level of security knowledge,” Thompson said. “For many, it’s really a point of pride to have the credibility among their peers.” 

    Make it flexible. In some instances, developers may need to fit the training into an already busy schedule. Make sure they have options to take training anywhere, whenever possible. E-learning courses allow developers to participate in security training when they have time.


    What doesn’t work

    What techniques will leave developers bored and unmotivated to learn? Avoid the following mistakes when crafting a training program.

    Biting off more than appropriate. “Keep things relevant to where developers are in their knowledge,” Sheairs said. “You want to meet them where they’re at and ensure the training is relevant and understandable to them. Trying to put people in training beyond their skillset will backfire.”

    Check-the-box activities. “We all have to train periodically on certain things. But if we are simply looking to check that box, it isn’t going to be effective,” Thompson said.

    Long training schedules. “We used to try and target eight hours on courses,” Thompson recalled. “I have pushed course owners away from that now.”

    Instead of a long training session, Thompson advises course owners to think about a topic, such as container security, and what needs to be covered for developers to effectively integrate security into the topic. Show developers you value their time by offering courses that don’t take hours to complete. It’s a bit like learning something new from YouTube. When your search returns multiple options, you’re likely to pick a shorter video that gets to the meat quickly, lets you learn the tidbit you needed, and then move into practice. This style of learning is the expectation, and effective training needs to accommodate that style.

    ACTION ITEM: What works with your AppSec training program? Leave a comment below to share.

     ALSO: What are the metrics involved in a Champions Program?

     #AppSec #training


    More stories

    Take the burden off security engineers

    Employee burnout

    As security procedures and AppSec tools have matured, the number of moving pieces that require active management has exploded. A key challenge posed by this volume of responsibilities is finding ways to minimize the tax on security engineers without compromising the velocity and functionality of your security testing infrastructure.

    Senior security engineers spend much of their time performing operational work like fixes, break remediations, and upgrades. These demands pull engineers away from performing the security work critical to their roles, such as manual testing and training.

    Recent conversations spurred our BSIMM team to explore this challenge. We spoke with two key Synopsys experts, Meera Rao, senior product management director, and Travis Biehn, principal consultant, who provided important points to deal with these situations.

    Process, process, process

    Rao was adamant that a key step to successfully removing roadblocks and excess strain on security engineers is the development of strong and clear processes. Time and again, she said, she has consulted with clients that either have no AppSec processes in place, or that don’t see the value in adhering strictly to some sort of internal process structure. She summarized her view succinctly: “If you don’t have a process in place, you will inevitably fail miserably.”

    To read more become a BSIMM member.

    Planning steps to ensure your team is a success

    As agile became the de facto internal development process, it was clear that its shorter cycles and more reactive development style were well-suited to smaller environments. Bigger companies, however, struggled to scale it. The struggle remains today: larger organizations with numerous smaller teams often see friction, as the teams both depend on one another and get in each other’s way. Another layer of management is needed in order to scale agile in larger companies.

    Scaled agile framework (SaFE) was designed to provide this additional level of management. A critical component of SaFE is program increment planning (PI planning) and the security activities incorporated into it. In its simplest form, PI planning is a quarterly meeting in which teams work together to strategically organize software development.

    For those of you already using SaFE and PI planning, here are some key practices to consider. If you’re new to these ideas, these practices might help with your struggles.

    Jamie Boote, senior security consultant at Synopsys, outlined what the ideal PI planning event would look like.

    Boote started by emphasizing the importance of everyone attending the meeting: IT, infrastructure, application security, system architects—everyone. In order for planning meetings to be most effective, everyone involved in development, whether directly or indirectly, must be an active participant. These meetings are a way of letting everyone know what’s happening, and what’s soon to happen. When participating in a SaFE environment, teams must know about activities or changes prior to deployments. Without prior knowledge and the opportunity to plan for changes or additions, they won’t have any spare cycles to fit it in. The PI planning process is all about scheduling work.

    To read more become a BSIMM member.