POPULARITY
In this episode, Gene Fay interviews Sammy Migues, Principal at Imbricate Security, about his journey into cybersecurity and his work on the Building Security in Maturity Model (BSIMM). Sammy shares his experience starting in computer science in the late 1970s and how he became a computer security professional. He explains the motivation behind creating the BSIMM and how it helps organizations measure and improve their software security practices. Sammy also discusses the trifecta for career success, which includes setting a strategy, translating business objectives into actionable steps, and contextualizing skills within the organization. Finally, Sammy shares his thoughts on the cybersecurity shortage and the challenges in hiring and retaining skilled professionals.TakeawaysStarting a career in cybersecurity can begin with a degree in computer science and a willingness to adapt and learn as the industry evolves.The Building Security in Maturity Model (BSIM) is a framework that helps organizations measure and improve their software security practices.The trifecta for career success in management includes setting a strategy, translating business objectives into actionable steps, and contextualizing skills within the organization.The cybersecurity shortage is not just a lack of professionals, but also a result of challenging hiring processes and unrealistic job requirements.
Unqork is a no-code application platform that helps large enterprises rapidly build complex custom software by completely removing the usual development challenges of a traditional code-based approach. In this episode, Harshil chats with Unqork's Chief Information Security Officer, Daniel Wood, to learn more about how he's helped build and scale the company's product security program. Daniel has more than a decade of experience in cybersecurity having worked as an information security analyst, and lead security engineer in previous roles. Topics discussed: Daniel's career journey and his transition from risk-based security work, to technical security engineering, consultancy, and corporate security work Changes Daniel implemented after joining Unqork, and how he chose what security aspects to prioritize and invest in Leveraging the OpenSAMM or BSIMM model to guide security investment decisions Unqork's goal of building product security features to reduce friction between the engineering and security teams How to drive the adoption of security initiatives across an organization How Unqork handles code ownership, architecture review processes, and threat modeling Unqork's maturity roadmap for the future
What are the merits of the Software Assurance Maturity Model (SAMM), and how does it differ from the Application Security Verification Standard (ASVS) model? And why should you care? From design to operations, there are several crucial considerations to hold regarding business functions and use cases. I invited Taylor Smith, Application Penetration Testing Lead at Pivot Point Security, onto the show to provide insights into SAMM. Including definitions, the differences between SAMM, ASVS, and BSIMM, and how these models are relevant in today's software development environment. To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player
A descriptive model that provides a baseline of observed software security initiatives and activities from a collection of volunteer software development shops.
A descriptive model that provides a baseline of observed software security initiatives and activities from a collection of volunteer software development shops.
On this episode of the CSZ Podcast coming to you live from the Fitness Market Studios! Our guys Jeremy, Shawn, Sam, Joey, Dalton and Higgy talk about what's going on in the land of the Cards. We also got a fire new intro from our guy BSIMM!We talk Media Day, Open Practice, predictions, Lamar, Basketball newcomers, Louisville Live at Churchill, Olympic Gold plus much, much more. Check it out!The CSZ Podcast is brought to you by 4 Pegs Beer Lounge, All America Pool & Supply, Fitness Market, Shack in the back BBQ & Derby City Lawn & Landscape!Follow us on Twitter at:@CardSportZone@Jeremy_CSZ@lvilleshawn@baseboy124@joewahman526@dpence_@WesB_42@iamthehiggy@FourPegsBeer@ShackBBQ
In this episode of AppSec Builders, Jb is joined by security expert, John Steven, to discuss his BSIMM study findings, the fundamental shifts in AppSec, software-defined security governance, and much more. About John: Linkedin: https://www.linkedin.com/in/m1splacedsoul/ (https://www.linkedin.com/in/m1splacedsoul/) Twitter: https://twitter.com/m1splacedsoul (https://twitter.com/m1splacedsoul) Through his firm Aedify, John advises innovative security product firms as well as maturing security initiatives. John leads one such firm, ZeroNorth, as CTO. For two decades, John led technical direction at Cigital, where he rose to the position of co-CTO. He founded spin-off Codiscope as CTO in 2015. When both Cigital and Codiscope were acquired by Synopsys in 2016, John transitioned to the role of Senior Director of Security Technology and Applied Research. His expertise runs the gamut of software security—from managing security initiatives, to cloud security, to threat modeling and security architecture, to static analysis, as well as risk-based security orchestration and testing. John is keenly interested in software-defined security governance at the cadence of modern development. As a trusted adviser to security executives, he uses his unparalleled experience to build, measure, and mature security programs. He co-authors the BSIMM study and serves as co-editor of the Building Security In department of IEEE Security & Privacy magazine. John is regularly invited to speak and keynote. Resources: https://www.bsimm.com/download.html?cmp=pr-sig&utm_medium=referral (Latest BSIMM) https://www.linkedin.com/company/aedifysecurity/ (Aedify Security) https://www.concourselabs.com/ (Concourse Labs) Transcript [00:00:02] Welcome to AppSec Builders, the podcast for practitioners building modern AppSec hosted by JB Aviat. Jb Aviat: [00:00:14] So welcome to this episode of AppSec Builders. Today I'm proud to interview John Stevens. So, John is the founding principle at Aedify where he advises product security firms. John, before that, you led ZeroNorth as a CTO and before that you were leading as co-CTO at the Cigital firm. Welcome, John. John Steven: [00:00:36] Hello, how are you? Thanks for having me. Jb Aviat: [00:00:38] I'm great, thanks for joining. So John, another thing that you've done is that you co-authored BSIMM, so could you let us know what it is and how it can be a useful tool to AppSec builders? John Steven: [00:00:50] Yeah, it's worth clarifying because it's frequently misunderstood. The BSIMM is the building security in maturity model observational study. We went out and over a period of 11 years we've studied about two hundred and over two hundred firms and asked the question, what do you actually do to build your security initiative and to secure your software? And it doesn't prescribe what to do, but you can use it to look at what firms that are within your vertical or that look similar to you in terms of maturity, are doing with their time and money, and decide whether or not you want to replicate those behaviours or cut your own. Jb Aviat: [00:01:29] So you are interviewing like CISO application security practitioners, developers like every actor of the security game. John Steven: [00:01:38] Yes. Historically, the list has looked like what you described. What was interesting to us about the last two years of this study is that when we began talking with the CISO, they'd say, oh, you need to talk to the VP of Cloud on this, or actually you need to talk to the SREs and to to delivery or to the VP of engineering. The people we had to talk to fundamentally changed over the last two years. And that was a key finding that we we wrote about this year, that the people doing the work of security were shifting from the security group to the engineering, digital transformation and cloud groups. John Steven: [00:02:20] And that's a big deal, right, because there's been these phrases...
I dagens avsnitt diskuterar vi vilka olika metoder som finns för att stödja säkerhetsarbetet, exempelvis OpenSAMM, BSIMM, SANS 20 critical security controls, ISO 27001, etc.
W dzisiejszym odcinku Wojtek spotkał się z Andrzejem Dyjakiem, która zajmuje się tematem bezpieczeństwa - ze szczególnym naciskiem na bezpieczny kod oraz DevSecOps.Chłopaki rozmawiali nie tylko o tym jak tworzyć bezpieczne aplikacje, ale także jak zwiększać świadomość w zespołach dotyczącą tego tematu, jak oddolnie wspierać kulturę DevSecOps oraz co jest trudniej zabezpieczyć: aplikację mobilną czy aplikację front-endową?Zapraszamy do słuchania!
CSZ 2020 NFL Draft RecapIn this bonus episode of the CSZ Podcast brought to you by 4 Pegs Beer Lounge, Derrick Stewart from JP Pirtle realtors, T-shirt Hooligan and Altitude Trampoline Park, the fellas get emotional and talk about the highs of Mekhi Bectons NFL Draft moment to the lows of getting the news that Dexter Rentz was shot and killed the night before. Such an emotional ride. We bring our guy BSIMM on to talk about the NFL Draft, LJ Madden Cover and just things going on in life. BSIMM came ready for a rap off with Higgy. It didn't go well. The CSZ Podcast is brought to you by 4 Pegs Beer Lounge, Shack in the back BBQ, T-shirt Hooligan and Altitude Trampoline Park of Louisville!Follow us on Twitter at:@CardSportZone@Jeremy_CSZ@lvilleshawn@baseboy124@joewahman526@iamthehiggy@FourPegsBeer@AGENTSTEW @HooliganTshirt@AltitudeLouKy
On this weeks episode of the CSZ Podcast, Jeremy, Sam, Joey and Higgy review the week in Cardinal Athletics from the amazing Jamon Brown Foundation Studios! Today the squad welcomed in a guest host Katie Goben and our guests this week were the one and only BSIMM and Louisville Media mainstay and woman of many jobs, Daryl Foust! The team reviews the bounce back week from the Men's Basketball team, great weeks by Baseball and Women's Basketball and the panel takes a shot at Daryl in our True-False segment! We also go over the local music scene on the rise and find out why Jeremy was not included in the latest, or any of the YDWTC Videos. It was a great show! The CSZ Podcast is brought to you by 4 Pegs Beer Lounge, Rimtyme and Advertising Solutions.Follow us on Twitter at:@Jeremy_CSZ@JB_The_GREAT_68@darylfoust4@OfficialBsimm @katiegoben @joewahman526@baseboy124@DanielSpencer@iamthehiggy
Dr. Gary McGraw, renowned American Computer Scientist and Vice President of Security Technology at Synopsys talks about his efforts around the Building Security in Maturity Model (BSIMM) project conducted over years of software security drama with over 109 of the world's leading companies across various different sectors and he explains why Security at the design phase of software is so vitally important. Dr. McGraw also talks about his new study with numerous CISO's around the country to evaluate how information security is approached from a financial, compliance, technology, and business enabler perspective in their respective organizations. Host George Rettas also provides his analysis on the new Office of Inspector General (OIG) Report that states that The Office of the Interior is in disarray when it comes to their Cyber Security Posture almost 3 years after the OPM breach.
Gary McGraw is the Vice President of Security Technology at Synopsys, the best-selling author of "Software Security" and 11 other books, and the man behind the Silver Bullet Security Podcast. In this episode, Ben Wilde interviews him about everything from the BSIMM and OWASP Top 10 to software security best practices and how to get companies to start thinking about security early and often. https://www.garymcgraw.com/ https://www.bsimm.com/ https://cybersecurity.ieee.org/center-for-secure-design/ https://www.maxmyinterest.com/
Ken and Seth are back! Joined in this episode by Brian Glas, aka @infosecdad, aka Professor Glas to talk about all things OWASP Top 10 2017, the path to his involvement, and how it almost split AppSec in two. Also a discussion on OWASPSAMM vs. OpenSAMM vs. BSIMM.
Ken and Seth are back! Joined in this episode by Brian Glas, aka @infosecdad, aka Professor Glas to talk about all things OWASP Top 10 2017, the path to his involvement, and how it almost split AppSec in two. Also a discussion on OWASPSAMM vs. OpenSAMM vs. BSIMM.
Встречайте 96-й выпуск SDCast’а, в котором речь идёт про безопасность разрабатываемых нами приложений. У меня в гостях Юрий Шабалин, ведущий архитектор в компании Swordfish Security. В этом выпуске мы говорим про практики SecDevOps, Application Security и прочие аспекты информационной безопасности программных продуктов. Вместе с Юрой мы попробовали обсудить весь жизненный цикл разработки ПО и как и на каких стадиях можно и нужно внедрять механизмы обеспечения безопасности: что можно сделать на этапе постановки задачи и сбора требований и заканчивая активным и проактивным мониторингом боевых приложений. Юра рассказал про различные классы инструментов, помогающие решать задачи по ИБ, такие как: * SAST (инструменты статического анализа) * SCA/OSA (инструменты контроля рисков компонент с открытым исходным кодом) * DAST/IAST (инструменты динамического/интерактивного анализа) * Инструменты непрерывной интеграции / непрерывного развертывания (CI/CD) * Инструменты дефект-менеджмента Обсудили, как можно безболезненно встраивать эти инструменты в уже существующие процессы CI/CD и как лучше подойти к этим вопросам при запуске нового проекта. Ссылки на ресурсы по темам выпуска: * Базовые уязвимости OWASP Top 10 (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) * Требования OWASP Application Security Verification Standard (https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Downloads) * Как проверять требования (OWASP Testing Guide) (https://github.com/OWASP/OWASP-Testing-Guide-v5) * (https://continuumsecurity.net/bdd-security/)BDD Security (https://continuumsecurity.net/bdd-security/). Неплохая идея, как можно автоматизировать проверку требований * BSIMM. Фреймворк для построения процесса SSDL (https://www.bsimm.com/) * OpenSAMM. Фреймворк для построения процесса SSDL (https://www.opensamm.org/) * Nexus IQ. Платформа для проверки OpenSource Components (https://www.sonatype.com/nexus-iq-server) * Checkmarx SAST. Инструмент SAST (https://www.checkmarx.com/products/static-application-security-testing/) * Appsec Orchestration. Управление и оркестрация процессов SSDL (https://swordfishsecurity.ru/appsechub) * Бэкдор в event-stream (https://habr.com/post/431360/) * Несколько открытых проектов с уязвимостями для обучения: * DVWA (http://www.dvwa.co.uk/) * Juice Shop (https://www.owasp.org/index.php/OWASP_Juice_Shop_Project) * iOS (http://damnvulnerableiosapp.com/) * Android (https://github.com/dineshshetty/Android-InsecureBankv2) * Гайд для Security Champions (security-champions-playbook) (https://github.com/c0rdis/security-champions-playbook) Понравился выпуск? — Поддержи подкаст на patreon.com/KSDaemon (https://www.patreon.com/KSDaemon) а так же ретвитом, постом и просто рассказом друзьям!
Software security expert Gary McGraw discusses the recently released Building Security In Maturity Model report. BSIMM 9 includes contributors from 120 enterprises worldwide, and is used a measurement tool to evaluate software security practices and identify trends in the practice. Gary also comments on the current state of supply chain security, how companies should be working with vendors on the transparency of software security provided by third parties.
Dr. Gary McGraw, renowned American Computer Scientist and Vice President of Security Technology at Synopsys talks about his efforts around the Building Security in Maturity Model (BSIMM) project conducted over years of software security drama with over 109 of the world's leading companies across various different sectors and he explains why Security at the design phase of software is so vitally important. Dr. McGraw also talks about his new study with numerous CISO's around the country to evaluate how information security is approached from a financial, compliance, technology, and business enabler perspective in their respective organizations. Host George Rettas also provides his analysis on the new Office of Inspector General (OIG) Report that states that The Office of the Interior is in disarray when it comes to their Cyber Security Posture almost 3 years after the OPM breach.
Host Kevin Greene and guest Jim Routh, Chief Security Officer at Aetna discuss the importance of developing a software security program designed to help reduce the cost to maintain software by detecting vulnerabilities early in the software development process. Jim discuss key observed software assurance practices and lessons learned from BSIMM that impact improving software security. Jim shares his thoughts on IoT and medical device security in the healthcare industry.
Host Kevin Greene and guest Caroline Wong, Vice President of Security Strategy at Cobalt discuss the challenges organizations face in adopting DevOps practices. Caroline discuss the importance of formulating a security culture and sound security practices for successful DevOps. Caroline draws from her experience with BSIMM as a key maturity model for shaping software assurance and AppSec in DevOps.
**Brakeing Down Security has a Slack channel now... just go to https://brakesec.signup.team and follow the instructions to have the bot add you to our show's official channel.** Every year, organizations come out with industry reports that show how well or, more often than not, how poorly we are doing. We always even reviewing the BSIMM report, because it's an unvarnished, and a good measure of a good number of industry verticals, like finance, manufacturing, cloud, and even companies that make IoT devices. Join Mr. Boettcher and I this week as we go over the findings of the report, discuss what got better, what still sucks, and what shouldn't we fault companies for not having. We also have a teachable moment when I discuss a security paux fas that happened to me (Bryan) recently regarding an email account and my Skype. 2 factor authentication is your friend, and if it's available, use it. Mr. Boettcher discusses some recent malware that has reared it's ugly head, and how to detect it. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-043-BSIMMv7.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-043-bsimmv7-teachable/id799131292?i=1000377394890&mt=2 YouTube: https://www.youtube.com/watch?v=I3FLSLSSb_Y #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
The Building Security In Maturity Model (BSIMM) is the result of a multi-year study of real-world software security initiatives. It is built directly from data observed in 78 software security initiatives from firms in nine market sectors. The best way to use the BSIMM is to compare and contrast your own initiative with the data about what other organizations are doing as described in the model. You can then identify goals and objectives and refer to the BSIMM to determine which additional activities make sense for you.The BSIMM data show that high maturity initiatives are well-rounded—carrying out numerous activities in all 12 of the practices described by the model. The model also describes how mature software security initiatives evolve, change, and improve over time.In this podcast, Gary McGraw, the Chief Technology Officer for Cigital, discusses the latest version of BSIMM and how to take advantage of observed practices from high-performing organizations. Listen on Apple Podcasts.
#Jay #Schulman is a consultant with 15+ years of experience in helping organizations implementing #BSIMM and other compliance frameworks. For our first #podcast of 2016, we invited him on to further discuss and how he has found is the best way to implement it into a company's #security #program. Jay Schulman's #website: https://www.jayschulman.com/ Jay's Podcast "Building a Life and Career in Security" (iTunes): https://itunes.apple.com/us/podcast/building-life-career-in-security/id994550360?mt=2&ls=1 Jay's Twitter: https://twitter.com/jschulman TuneIn Radio App: http://tunein.com/r…/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Bryan's Twitter: http://www.twitter.com/bryanbrake Brian's Twitter: http://www.twitter.com/boettcherpwned Join our Patreon!: https://www.patreon.com/bds_podcast Comments, Questions, Feedback: bds.podcast@gmail.com iTunes Link: https://itunes.apple.com/us/podcast/2016-001-jay-schulmann-explains/id799131292?i=360028388&mt=2 Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-001-JaySchulman-BSIMM.mp3
Business Security in Maturity Model (#BSIMM) is a #framework that is unique in that it gives your company a measuring stick to know how certain industry verticals stack to yours... We didn't want to run through all 4 sections of the BSIMM, so this time, we concentrated on the #software #security standards, the "Deployment" section specifically... BSIMMV6 download (just put junk in the fields, and download ;) ): https://www.bsimm.com/download/ Direct Link: http://traffic.libsyn.com/brakeingsecurity/2015-047_BSIMM.mp3 iTunes: https://itunes.apple.com/us/podcast/2015-047-using-bsimm-framework/id799131292?i=357545342&mt=2 TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ BrakeSec Podcast Twitter: http://www.twitter.com/brakesec Join our Patreon!: https://www.patreon.com/bds_podcast Comments, Questions, Feedback: bds.podcast@gmail.com
In this episode We discuss the largest challenges in the state government sector Brian discusses balancing the need for openness versus security/secrecy Phil talks about the challenge of balancing policy with agency needs in state government Michael asks how state-level security justifies and prioritizes security requirements Raf asks how policy is created that can be both effective, and broad The group talks about metrics, policy implementation, and showing value to protecting citizens The guys answer "What's the best piece of advice you've gotten in your career? Guests Philip Beyer ( @pjbeyer ) - Philip is a security professional with more than 12 years progressive experience. Currently leading information security for an organization as a function of business goals and risk profile. Consummate generalist with background in multi-client consulting and specialization in risk management, incident handling, security operations, software assurance (OpenSAMM, BSIMM), and technical compliance testing (ISO 27002, PCI-DSS, HIPAA). Confident leader, problem solver, relationship builder, technical communicator, public speaker, presenter, and security evangelist. Fast-paced learner with a strong work ethic and self-starter attitude. Brian Engle ( @brianaengle ) - Currently the Chief Information Security Officer & Texas Cybersecurity Coordinator who is a results-oriented executive and leader with over 20 years of progressive experience in Information Technology and Information Security across the government, healthcare, manufacturing, financial services, technology, telecommunications and retail verticals. His specialties include risk management, project management, and cost effective delivery of appropriate security solutions within organizational risk tolerances. Consummate generalist with a background in effective incident management, security and network operations, vulnerability and threat management, as well as technical compliance evaluation and gap analysis.
As a discipline, software security has made great progress over the last decade. There are now at least 46 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. In 2008, Brian Chess, Sammy Migues and I interviewed the executives running nine initiatives using the twelve practices of the Software Security Framework as our guide. Those companies among the nine who graciously agreed to be identified include: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The resulting data, drawn from real programs at different levels of maturity was used to guide the construction of the Building Security In Maturity Model (BSIMM). This talk will describe the observation-based maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience. Since its March release, the BSIMM is being expanded to include BSIMM Europe, BSIMM II, and BSIMM Lite. Use the BSIMM as a yardstick to determine where you stand and what kind of software security plan will work best for you. About the speaker: company: http://www.cigital.compodcast: http://www.cigital.com/silverbulletpodcast: http://www.cigital.com/realitycheckblog: http://www.cigital.com/justiceleaguebook: http://www.swsec.compersonal: http://www.cigital.com/~gemGary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Java Security, Building Secure Software, Exploiting Software, Software Security, and Exploiting Online Games; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean¹s Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors, produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT), and produces the Reality Check Security Podcast for CSO Online.
As a discipline, software security has made great progress over the last decade. There are now at least 46 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. In 2008, Brian Chess, Sammy Migues and I interviewed the executives running nine initiatives using the twelve practices of the Software Security Framework as our guide. Those companies among the nine who graciously agreed to be identified include: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The resulting data, drawn from real programs at different levels of maturity was used to guide the construction of the Building Security In Maturity Model (BSIMM). This talk will describe the observation-based maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience. Since its March release, the BSIMM is being expanded to include BSIMM Europe, BSIMM II, and BSIMM Lite. Use the BSIMM as a yardstick to determine where you stand and what kind of software security plan will work best for you.