BSIMM7 SOFTWARE SECURITY FRAMEWORK

A QUICK WALK THROUGH ON HOW HACK2SECURE

SERVICES ARE ALLIGNED WITH THE FRAMEWORK
WHAT IS BSIMM?

BSIMM (Building Security in Maturity Model) is a software security measurement framework

established to help organisations compare their software security to other organisations initiatives
and find out where they stand.
 The Building Security In Maturity Model is a study of existing software security initiatives. By
quantifying the practices of many different organizations, we can describe the common ground shared
by many as well as the variation that makes each unique.
[Source: BSIMM]

The model is based on the study done on organisations across the industries like financial service
sectors, Healthcare sectors, Software sectors, cloud providers and more.
WHY HACK2SECURE SUPPORTS TO ADOPT BSIMM7
FRAMEWORK:

Enables organizations to start a Software Security Initiative (SSI)

Provide standard measuring criteria to measure and comparing
SSI within domain or Industry
Helps organisations to learn from others mistakes.
It will help them to plan, execute and measure initiate of their
own without having on board any third party for the same.
It gives you the clarity on what is the right thing to do.
It helps in Cost reduction through standard, repeatable processes.
BSIMM FRAMEWORK

BSIMM7 Framework includes 113 different activities of 4 domains

consisting 12 Practices:

Hack2Secure assist organization in the adoption of BSIMM

framework along with evaluation and implementation of Security
controls across Secure SDLC phases.
BSIMM Software Security Framework (SSF)

A. Governance
1. Strategy & Metrics (SM)
2. Compliance & Policy (CP)
3. Training (T)
B. Intelligence
4. Attack Models (AM)
5. Security Features & Design (SFD)
6. Standards & Requirements (SR)

C. SSDL Touchpoints
7. Architecture Analysis (AA)
8. Code Review (CR)
9. Security Testing (ST)
D. Deployment
10. Penetration Testing (PT)
11. Software Environment (SE)
12. Configuration Management & Vulnerability
Management (CMVM)
A. DOMAIN: GOVERNANCE

These are practices assisting companies to organise,

manage and measure a Software Security Initiatives
(SII).

1. Strategy & Metrics (SM):

Ensures Security Process planning and publication assisting
in defining Software Security Goals and required
measurement metrics.
2. Compliance & Policy (CP):

Focus on regulatory or compliance drivers such as PCI DSS

and HIPPA.

3. Training (T):

Training is required to have basic security knowledge for

all level of participants in SSDLC.
B. DOMAIN: INTELLIGENCE

These are practices results in collection and

identification of corporate intelligence related with SSI.

4. Attack Models (AM):

Developer think like an attacker and create knowledge of
technology specific attack patterns.
These knowledge will then guide decisions about code and
controls.
5. Security Features & Design (SFD):

Provides guidance of building, reviewing and publication of

proactive security features, building or providing pointers to
secure-by-design frameworks along with mature design
patterns for major security controls. .

6. Standards & Requirements (SR):

Explains the standard explicit security requirements for the

organisations.

Assist in both building recommendation and tracking of standard

Security Controls to be used aligned with Industry standards.
C. DOMAIN: SSDL TOUCHPOINTS

Talks about essential security best practices required in Software

development phases (SDLC).

7. Architecture Analysis (AA):

Build the quality control, by performing security feature and

design review process for high-risk applications.
8. Code Review (CR):

includes activities related with Secure Code implementation and review

process.

9. Security Testing (ST):

Deals with activities related different Security Testing methods like Black-
box, Fuzzing, Automation, Risk driven White Box Analysis etc.
D. DOMAIN: DEPLOYMENT

Includes practices that deals with network security and

software maintenance requirements.

10. Penetration Testing (PT):

Build the quality control, by performing security feature and design
review process for high-risk applications.
11. Software Environment (SE):

Includes activities related with Secure Software Deployment and

maintenance.

Also talks about mechanism related with application behaviour

monitoring and diagnostics.

12. Configuration Management & Vulnerability Management

(CMVM):

Aims to track activities related with patching, version control and

change management.

Deals with building Incident Handling plans and simulate responses in

software crisis.
 BSIMM standards are highly accepted by organisations across the
industries and it is also helping them to compare their software
security initiations with industry peers.

This is helping them to increase their business units, and drive their
budgeting.

According to number of Security reports, the computer security

industry as a whole is growing fast at a rate of about 8.9% per year,
generating between $20 and $40 billion in revenue annually.