TMCnet News

New Study Provides Real-World Data on Leading Software Security Initiatives in Europe; First-ever European Maturity Model Details Success of SWIFT, Nokia and others
[November 12, 2009]

New Study Provides Real-World Data on Leading Software Security Initiatives in Europe; First-ever European Maturity Model Details Success of SWIFT, Nokia and others

(M2 PressWIRE Via Acquire Media NewsEdge) London -- Fortify Software, the market leader in Software Security Assurance solutions, and Cigital, the largest software security consulting firm in the world, announced today the release of the Building Security In Maturity Model for Europe or "BSIMM Europe," an application of the industry's first-ever set of benchmarks for developing and growing an enterprise-wide software security program to the European market. BSIMM Europe illuminates the software security practices of some of the most advanced organizations in Europe, including Nokia, SWIFT, Standard Life, Telecom Italia, and Thomson Reuters, and four companies that chose to remain anonymous.

Released in March 2009, the original BSIMM study was based on in-depth interviews with leading enterprises including Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust & Clearing Corporation (DTCC). BSIMM Europe describes a set of activities practiced by nine European firms chosen from among the 56 most successful software security initiatives in the world. Unlike some industry standards, BSIMM is a structured set of practices based on real-world data rather than philosophy and ideas. BSIMM provides insight on what successful organizations actually do to build security into their software and mitigate the business risk associated with insecure applications.

"Nokia's participation in the BSIMM Europe project reflects a mutual, ongoing interest in setting, updating, and maintaining the highest standards in software security," said Janne Uusilehto, Head of Product Security, Nokia. "The insights gained from the BSIMM project will doubtlessly further the definition of standards, which will not only serve as critical tools for measuring and comparing, but will also for enable the evolution of software security initiatives." "Software security is a world-wide phenomenon. We are very grateful to the European participants in the BSIMM Europe study, and for the chance to compare and contrast large-scale software security initiatives in different geographies," said Dr. Gary McGraw, CTO of Cigital and author of the best selling book Software Security. "Using BSIMM, an organization can determine where its software security initiative stands, figure out how to evolve its initiative strategically, or even get a brand new initiative off the ground. BSIMM is a tool for identifying realistic business goals and implementing those technical software security activities that make the most sense for an organization." "Software is essential to business throughout the world, and at the same time the threat to that software is at an all-time high," said Dr. Brian Chess, co-founder and Chief Scientist of Fortify Software. "European businesses need software that doesn't leak millions of identity records, gin up huge legal liabilities, or allow secrets to fall into the wrong hands." Chess, McGraw and coauthors David Harper, Matias Madou, and Florence Mottay collected data on each European firm's software security activities for strategy and metrics, training, standards and requirements, security testing, code review, etc., and uncovered a number of common themes among each of the successful initiatives, including: -   In general, European approaches to software security have many activities in common with US initiatives.  European software security approaches place more emphasis on process than do their US counterparts, and also emphasize privacy to a greater extent.

-   We observed eleven activities that all European firms practice, including publishing a process, identifying gates, creating secure coding standards, and identifying PII obligations.

- There are fifteen BSIMM activities (of 110) not observed in Europe at all."The minor differences in the findings in BSIMM Europe and BSIMM US are reflective of the cultural differences between the two continents," said Eric Baize, Senior Director of the Product Security Office at EMC. "However, the amount of common ground shared by both is more evidence that the core practices for software security are universal." "When I heard about BSIMM I let out a cheer-at long last a practical guide for those that want to do application security for real," said analyst Nigel Stanley, Security Practice Leader at Bloor Research. "Gary, Brian, and the gang behind this deserve a real pat on the back." Since March, Cigital and Fortify have gathered data from twenty-seven leading software security initiatives, tripling the size of the original BSIMM study and providing additional insight on trends and activities particular to certain vertical industries, geographies and company sizes, among other factors.

Both BSIMM and BSIMM Europe are available under creative commons license here:

About Fortify Software, Inc.

Fortify 's Software Security Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications. Its software security suite-Fortify 360-drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world-class teams of software security experts and partners. More information is available at or visit our blog at

About Cigital Cigital, Inc. is the leading software security and quality consulting firm in the world. Established in 1992, Cigital plans and implements initiatives that help organizations ensure their applications are secure and reliable while also improving how they build and deploy software. Our recognized experts apply a combination of proven methodologies, tools, and best practices to meet each client's unique requirements. Cigital is headquartered near Washington, D.C. with regional offices in the U.S. and India.

((Comments on this story may be sent to [email protected])) (c) 2009 M2 COMMUNICATIONS

[ Back To's Homepage ]