The Building Security In Maturity Model (BSIMM) is a descriptive model of software security programs. BSIMM gathers the activities that a collection of companies are already doing as a way to assess a firm’s maturity in software security.
Several BSIMM participants are also Security Compass clients, and it’s clear to see why: SD Elements maps to just under 70% of the BSIMM activities. This means that using SD Elements will provide you with assistance in achieving over two thirds of BSIMM activities, though the degree to which it helps will vary by activity.
Broadly, SD Elements helps with BSIMM domains in the following way:
- Governance: SD Elements serves as a central store for many software security activities. It provides visibility at both aggregate (enterprise-wide or business-unit wide levels) as well as at individual application/project levels. Custom content, embedded training, reporting and compliance mapping round out the major governance capabilities.
- Intelligence: SD Elements core features are key enablers of security standards, requirements, and design work. SD Elements serves as the first security touchpoint in the software development process for most clients and enables building security in from the start.
- SSDL Touchpoints: Describing projects in SD Elements and automatically generating tasks provides a scalable baseline for architectural analysis. Moreover, testing tasks and correlation with requirements allows for better tracking of code review and security testing activities. Integration with static and dynamic testing tools tie security testing activities to requirements.
- Deployment: Though primarily focused on pre-deployment, SD Elements testing tasks provide a way to associate penetration testing activities with other activities from the rest of the software development lifecycle. Projects in SD Elements also serve as a repository of information used for identifying and tracking configuration and vulnerability management.
The attached Excel document (BSIMM Mapping) provides additional detail on how SD Elements capabilities map to the BSIMM activities. If you are currently using BSIMM to measure your software security initiative and you want to learn more about how SD Elements can help, contact us to learn more!