Hi All,
The BSIMM is primarily a measuring stick for software security. The best way to use it is to compare and contrast your
own initiative with the data about what other organizations are doing. The BSIMM also functions as a roadmap for an SSI (software security initiative). You can identify your own goals and objectives, then refer to the BSIMM to determine which additional activities make
sense for you.
The purpose of the BSIMM is to quantify the activities carried out by various kinds of SSIs across many organizations.
Because these initiatives use different methodologies and different terminology, the BSIMM requires a framework that
allows us to describe any initiative in a uniform way. Our software security framework (SSF) and activity descriptions
provide a common vocabulary for explaining the salient elements of an SSI, thereby allowing us to compare initiatives
that use different terms, operate at different scales, exist in different parts of the organizational chart, operate in different
vertical markets, or create different work products.
------------------------------
Michael Roza CPA, CISA, CIA
------------------------------