BSIMM has reached version 3, Building Security In (the BSI part) remains relatively new field, there is a lot of learning as the field evolves. Ed Bellis pointed this out in a blog post about New School Security. In the post Ed called the book New School Security the Moneyball of Infosec (note - Adam says he would want Anthony Hopkins not Brad Pitt to play him in the inevitable movie adaptation of New School Security) and stressed the importance of learning from each other in infosec.
I consider the "its perfect or its broken" mindset as the biggest enemy of making forward progress in security. Infosec mostly cannot dictate all parts of the solution at hand, its not infosec's call whether things go Mobile, Cloud or integrate with other companies and Identity Providers, but instead of taking their ball and go home, infosec can roll up its sleeves and engineer better stuff.
As such Maturity models are quite valuable. One thing about good Maturity Models is that they follow the "no flying cars allowed" rule. Maturity models don't necessarily show the A to Z set of things that need to be done for the next decade, but they allow us to see how to get from A to B and then from B to C. This is an important gap to fill for real world practitioners, it shows a bottom up way to make progress and how to align projects.
A lot of work has gone into BSIMM3, what was most heartening to me is that the study group now includes 42 firms. And it includes many non-specialty security firms so the guidance is useful to a wider audience. I see that there is a small percent of the Fortune 500 that absolutely has to care about security and be great at it. Most security guidance and tools is aimed at them. But then there is everyone else. What is appropriate for say with regard to infosec for 50 of the Fortune 500, is not necessarily cost effective for the other 450. So this widening the lens on the Maturity model is a welcome development.
**
Secure Coding Training Class: Mobile AppSec Triathlon
Do you have what it takes to complete a triathlon on three vital topics in the mobile world: Mobile application security, web services security, and mobile identity management?
Come join two leading experts, Gunnar Peterson and Ken van Wyk, for the first Mobile App Security Triathlon, in San Jose, California, on November 2-4, 2011.
Comments