![BSIMM (noun) [Word Notes] - Hacking Humans cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2Fd26aaa48-538a-11f0-9bf9-33118e745bdf%2Fimage%2F441b0ca2db080b93b935568d381ce462.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)
Podcast Summary: Hacking Humans - Episode on BSIMM
Podcast Information:
- Title: Hacking Humans
- Host/Author: N2K Networks
- Description: Deception, influence, and social engineering in the world of cyber crime.
- Episode: BSIMM (noun) [Word Notes]
- Release Date: June 28, 2025
Introduction to BSIMM
In this episode of Hacking Humans, N2K Networks delves into the Building Security in Maturity Model (BSIMM), a pivotal framework in the realm of software security. BSIMM serves as a benchmark for organizations to assess and enhance their software security initiatives by providing a descriptive model based on real-world practices observed across various companies.
Understanding BSIMM: Definition and Purpose
Rick Howard introduces BSIMM by breaking down its acronym:
- Building
- Security
- In
- Maturity
- Model
He explains that BSIMM is "a descriptive model that provides a baseline of observed software security initiatives and activities from a collection of volunteer software development shops." This model acts as a "measuring stick for software security," enabling developers to "compare and contrast their own initiative with the data about what other organizations are doing." [00:15]
Origin and Evolution of BSIMM
The concept of BSIMM was pioneered by Dr. Gary McGraw, a renowned figure in software security comparable to luminaries like Bruce Schneier and Jeff Moss. Dr. McGraw initiated the BSIMM project in March 2008 while serving as the CTO of Cigital, a software security firm. His goal was to create a scientific data collection effort that would culminate in a version one of BSIMM.
Unlike prescriptive models such as the Software Assurance Maturity Model (SAM), which outlines "what organizations should be doing" in terms of software security, BSIMM is descriptive, focusing on "what organizations are actually doing." [00:15]
Methodology: Data-Driven Model Building
A significant portion of the episode highlights the data-centric approach that distinguishes BSIMM. Gary McGraw emphasizes this methodology:
Gary McGraw [03:23]: "The idea was we're going to go gather data and we're going to take the data and then we're going to look at the data and then we're going to build a model to describe the data. I just said data, data, data, data, data. Right? Real data, take it all, build model."
He contrasts this with the traditional computer science approach, where theories are often developed first and then justified with data. Instead, BSIMM adopts the scientific norm of "a big old pile of data" leading to model creation, ensuring that the model is firmly grounded in actual industry practices.
Growth and Impact of BSIMM
Since its inception, BSIMM has grown significantly. In 2014, Synopsys acquired Cigital but continued to release annual BSIMM reports. By 2021, the BSIMM version 12 project expanded its scope, surveying 128 organizations and collecting data on 324 primary measurements from nearly 4,000 developers and 153,000 applications.
Key Findings from BSIMM Version 12
The 2021 BSIMM report highlights the top three observed software security activities:
- Implementing Lifecycle Instrumentation: Defining governance frameworks to oversee software security throughout the development lifecycle.
- Ensuring Host and Network Security Basics: Establishing foundational security measures to protect hosts and networks from potential threats.
- Identifying PII Obligations: Recognizing and managing Personally Identifiable Information (PII) to comply with privacy regulations and protect user data.
Additionally, the report notes the increasing adoption of the Software Bill of Materials (SBoM) among the surveyed organizations. An SBoM provides a comprehensive list of components in software applications, enhancing transparency and facilitating vulnerability management.
The Role of BSIMM in Standardizing Security Practices
One of BSIMM's significant contributions is fostering a common vocabulary within the software security community. By aggregating and categorizing security initiatives from multiple organizations, BSIMM enables companies to benchmark their practices against industry standards and identify areas for improvement.
Conclusion
The episode provides a comprehensive overview of BSIMM, highlighting its foundational principles, methodological rigor, and practical impact on software security practices. By prioritizing data-driven insights and fostering collaboration among organizations, BSIMM continues to be an invaluable tool for enhancing software security maturity across the industry.
Notable Quote:
Gary McGraw [03:23]: "This is weird because computer science, the way we usually do it, is, well, I have a pet theory. So I'm going to build a big old system and then I'm going to try to justify it with a little bit of data. But in most sciences, it works the other way around."
Credits:
- Wordnotes is written by Nyla Genoe
- Executive Produced by Peter Kilpe
- Edited by John Pettrick and Rick Howard
- Sound Design and Original Music by Elliot Peltzman
Note: Advertisements, intros, outros, and non-content sections have been excluded to focus on the core material discussed in the episode.