Checkmarx is a Leader in the 2021 Gartner Magic Quadrant for Application Security Testing

BSIMM in the Age of Agile

Since 2009, the Build Security in Maturity Model (BSIMM) has been helping organizations across a wide range of verticals build long-term plans for software security initiatives based on actual observed data from the field provided by nearly 100 participating firms.


In the most recent BSIMM report, released in late 2016, BSIMM co-author and inventor Gary McGraw highlights the challenge organizations face when it comes to correctly implementing security in agile development environments. For organizations adopting continuous integration/continuous deployment (CICD) and DevOps, security may be seen an inhibitor, but it doesn’t need to be. Read on to find out why.

What is BSIMM?


First published in 2009 to counter the many emerging software security methodologies that were mainly based opinion rather than fact, the Build Security in Maturity Model (BSIMM) is a software security measurement framework that helps organizations gauge their software security.


“[The BSIMM] doesn’t tell you what you should do. It tells you what other people are already doing.” –Gary McGraw, co-author and inventor of the BSIMM



BSIMM allows organizations to build a maturity model based on actual data gathered from relevant, real-world software security initiatives.


BSIMM’s Mission:


“To quantify the activities carried out by real software security initiatives in order to help the wider software security community plan, carry out and measure initiatives of their own.”


Currently in its seventh iteration, the BSIMM is made up of 113 activities which are grouped into four domains: Governance, Intelligence, SSDL Touchpoints and Deployment.


Created for anyone who is responsible for creating and executing a software security initiative, the BSIMM gives organizations actual measurement data from the field, thus allowing them to build a long-term plan for a software security initiative while tracking progress against their plan.


BSIMM in the Age of Agile

“Bad software equals insecure software, and companies don’t have to accept this status quo,” surmises Tom Spring of ThreatPost when taking a high-level look at the goals and takeaways of the seventh, and most recent, annual Building Security in Maturity Model report which was released in October 2016.


Among the key challenges facing organizations which depend on rapid-release cycles is the question of how to fit security into their constantly evolving software development lifecycle.  


“More verticals are developing cloud software using CIDC (continuous integration and continuous development). This is a net plus, but a lot of companies are still struggling with how to adopt this software development approach,” McGraw notes in the 2016 BSIMM report.


When it comes to implementing security within CICD, and DevOps, environments, there are often stumbling blocks that stand in the way of security being implemented with confidence into the development as security is often viewed as an inhibitor.


Tackling the CICD Security Challenge

Security is seen as an inhibitor


Rather than looking at security as an inhibitor that will clog up the release pipeline, security teams need to find application security solutions that can speed up security without compromising speed or quality.


Static code analysis solutions which offer innovative features such as full IDE integration and quick setup processes don’t result in the broken processes that security teams may be wary of.


Features such incremental scanning and best fix location, both found in Checkmarx’s CxSAST, allow teams to exponentially reduce both scan time and remediation time as only new code is scanned and multiple vulnerabilities can be remediated at one junction in the code.



Additional Reading:


Jump to Category