{"id":5,"date":"2014-10-25T16:24:01","date_gmt":"2014-10-25T16:24:01","guid":{"rendered":"https:\/\/softwaresecurityconsulting.com\/?p=5"},"modified":"2014-10-28T16:41:26","modified_gmt":"2014-10-28T16:41:26","slug":"blog","status":"publish","type":"post","link":"https:\/\/softwaresecurityconsulting.com\/?p=5","title":{"rendered":"Shattered Skies: The start of a well rounded security initiative"},"content":{"rendered":"<p>A well rounded security initiative has many security practices at a varying maturities. B-SIMM describes these practices, all in apart of a multi-year effort by the Cigital company to capture the essence of a good security lifecycle from different sectors in the industry (IV, Financial, Retail, etc\u2026). The official list of companies are managed by Cigital. \u00a0The metadata they provide is extremely useful to everyone participating in the area of lifecycle security.<\/p>\n<p>In any organization that develops, purchases, or has a standing infrastructure for software design, build, and delivery will find these practices inherent in their program because they are the security practices you find in any practice. They show the maturity in \u201cwhat you are currently doing\u201d with those practices and \u201cwhere you are heading\u201d with them.<\/p>\n<p>The B-SIMM is broken down into four domains: Governance, Intelligence, SSDL Touchpoints, and Deployment. \u00a0All the \u00a0security practices fall into one of those\u00a0four domains as a sub-category of a\u00a0domain. There are 12 sub-categories that hold 112 distinct practices at present. The security practice areas are shown below in a spider-chart.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/softwaresecurityconsulting.com\/wp-content\/uploads\/2014\/10\/BSIMM_Spider_graph.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-36\" src=\"https:\/\/softwaresecurityconsulting.com\/wp-content\/uploads\/2014\/10\/BSIMM_Spider_graph-300x221.png\" alt=\"BSIMM_Spider_graph\" width=\"438\" height=\"323\" srcset=\"https:\/\/softwaresecurityconsulting.com\/wp-content\/uploads\/2014\/10\/BSIMM_Spider_graph-300x221.png 300w, https:\/\/softwaresecurityconsulting.com\/wp-content\/uploads\/2014\/10\/BSIMM_Spider_graph.png 414w\" sizes=\"auto, (max-width: 438px) 100vw, 438px\" \/><\/a><\/p>\n<blockquote>\n<p style=\"text-align: left;\">An \u00a0example of Security Practice Spider chart from an article by Gary McGraw at Cigital, http:\/\/www.cigital.com\/presentations\/mco2014030081.pdf<\/p>\n<\/blockquote>\n<p><strong><strong>\u00a0<\/strong><\/strong>A spider-chart provides a quick dashboard level view of the maturity of those 12 security practice areas. Allowing for a quick contrast and compare across the current efforts in a \u00a0software security initiative and how it compares to the general industry and industry sectors. A \u201chigh water mark\u201d line allows for contrast measurements to be taken with lower-resolution security programs.<\/p>\n<p style=\"text-align: center;\">The 12 Security Practice areas are set across the four domains as below:<\/p>\n<table style=\"height: 246px;\" width=\"735\">\n<tbody>\n<tr>\n<td style=\"text-align: left;\">G<strong>overnance<\/strong><\/td>\n<td style=\"text-align: left;\"><strong>Intelligence<\/strong><\/td>\n<td style=\"text-align: left;\"><strong>SSDL Touchpoints<\/strong><\/td>\n<td style=\"text-align: left;\"><strong>Deployment<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Strategy and Metrics<\/td>\n<td>Attack models<\/td>\n<td>Architectural Analysis<\/td>\n<td>Penetration Testing<\/td>\n<\/tr>\n<tr>\n<td>Compliance and Policy<\/td>\n<td>Security features and Design<\/td>\n<td>Code Review<\/td>\n<td>Software Environment<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\">Training<\/td>\n<td style=\"text-align: left;\">Standards and Requirements<\/td>\n<td style=\"text-align: left;\">Security Testing<\/td>\n<td style=\"text-align: left;\">Configuration Management and Vulnerability Management<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Now, a\u00a0<a title=\"A secure SDLC\" href=\"https:\/\/softwaresecurityconsulting.com\/?p=40\">secure Software Development Life-Cycle (SDLC)<\/a> \u00a0is needed to put those security practices into action.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A well rounded security initiative has many security practices at a varying maturities. B-SIMM describes these practices, all in apart of a multi-year effort by the Cigital company to capture the essence of a good security lifecycle from different sectors in the industry (IV, Financial, Retail, etc&hellip;). The official list of companies are managed by [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":55,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[3,5,4],"class_list":["post-5","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software-security","tag-b-simm","tag-lifecycle","tag-sdlc"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.7.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Shattered Skies: The start of a well rounded security initiative - Software Security Consulting<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/softwaresecurityconsulting.com\/?p=5\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Shattered Skies: The start of a well rounded security initiative - Software Security Consulting\" \/>\n<meta property=\"og:description\" content=\"A well rounded security initiative has many security practices at a varying maturities. B-SIMM describes these practices, all in apart of a multi-year effort by the Cigital company to capture the essence of a good security lifecycle from different sectors in the industry (IV, Financial, Retail, etc&hellip;). The official list of companies are managed by [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/softwaresecurityconsulting.com\/?p=5\" \/>\n<meta property=\"og:site_name\" content=\"Software Security Consulting\" \/>\n<meta property=\"article:published_time\" content=\"2014-10-25T16:24:01+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2014-10-28T16:41:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/softwaresecurityconsulting.com\/wp-content\/uploads\/2014\/10\/Shoreline.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"1730\" \/>\n\t<meta property=\"og:image:height\" content=\"450\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"lucidmonk\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"lucidmonk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/softwaresecurityconsulting.com\/?p=5\",\"url\":\"https:\/\/softwaresecurityconsulting.com\/?p=5\",\"name\":\"Shattered Skies: The start of a well rounded security initiative - Software Security Consulting\",\"isPartOf\":{\"@id\":\"https:\/\/softwaresecurityconsulting.com\/#website\"},\"datePublished\":\"2014-10-25T16:24:01+00:00\",\"dateModified\":\"2014-10-28T16:41:26+00:00\",\"author\":{\"@id\":\"https:\/\/softwaresecurityconsulting.com\/#\/schema\/person\/0dfdc11a3e348fb376fa2e2c5d0f10b9\"},\"breadcrumb\":{\"@id\":\"https:\/\/softwaresecurityconsulting.com\/?p=5#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/softwaresecurityconsulting.com\/?p=5\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/softwaresecurityconsulting.com\/?p=5#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/softwaresecurityconsulting.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Shattered Skies: The start of a well rounded security initiative\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/softwaresecurityconsulting.com\/#website\",\"url\":\"https:\/\/softwaresecurityconsulting.com\/\",\"name\":\"Software Security Consulting\",\"description\":\"It&#039;s better to learn wisdom late, than never learn it at all.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/softwaresecurityconsulting.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/softwaresecurityconsulting.com\/#\/schema\/person\/0dfdc11a3e348fb376fa2e2c5d0f10b9\",\"name\":\"lucidmonk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/softwaresecurityconsulting.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/1d28454298361d57be31f2e919e9bd3c21f8686aa0651cefb33fbdcd403ff177?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/1d28454298361d57be31f2e919e9bd3c21f8686aa0651cefb33fbdcd403ff177?s=96&d=mm&r=g\",\"caption\":\"lucidmonk\"},\"url\":\"https:\/\/softwaresecurityconsulting.com\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Shattered Skies: The start of a well rounded security initiative - Software Security Consulting","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/softwaresecurityconsulting.com\/?p=5","og_locale":"en_US","og_type":"article","og_title":"Shattered Skies: The start of a well rounded security initiative - Software Security Consulting","og_description":"A well rounded security initiative has many security practices at a varying maturities. B-SIMM describes these practices, all in apart of a multi-year effort by the Cigital company to capture the essence of a good security lifecycle from different sectors in the industry (IV, Financial, Retail, etc&hellip;). The official list of companies are managed by [&hellip;]","og_url":"https:\/\/softwaresecurityconsulting.com\/?p=5","og_site_name":"Software Security Consulting","article_published_time":"2014-10-25T16:24:01+00:00","article_modified_time":"2014-10-28T16:41:26+00:00","og_image":[{"width":1730,"height":450,"url":"https:\/\/softwaresecurityconsulting.com\/wp-content\/uploads\/2014\/10\/Shoreline.jpeg","type":"image\/jpeg"}],"author":"lucidmonk","twitter_misc":{"Written by":"lucidmonk","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/softwaresecurityconsulting.com\/?p=5","url":"https:\/\/softwaresecurityconsulting.com\/?p=5","name":"Shattered Skies: The start of a well rounded security initiative - Software Security Consulting","isPartOf":{"@id":"https:\/\/softwaresecurityconsulting.com\/#website"},"datePublished":"2014-10-25T16:24:01+00:00","dateModified":"2014-10-28T16:41:26+00:00","author":{"@id":"https:\/\/softwaresecurityconsulting.com\/#\/schema\/person\/0dfdc11a3e348fb376fa2e2c5d0f10b9"},"breadcrumb":{"@id":"https:\/\/softwaresecurityconsulting.com\/?p=5#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/softwaresecurityconsulting.com\/?p=5"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/softwaresecurityconsulting.com\/?p=5#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/softwaresecurityconsulting.com\/"},{"@type":"ListItem","position":2,"name":"Shattered Skies: The start of a well rounded security initiative"}]},{"@type":"WebSite","@id":"https:\/\/softwaresecurityconsulting.com\/#website","url":"https:\/\/softwaresecurityconsulting.com\/","name":"Software Security Consulting","description":"It&#039;s better to learn wisdom late, than never learn it at all.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/softwaresecurityconsulting.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/softwaresecurityconsulting.com\/#\/schema\/person\/0dfdc11a3e348fb376fa2e2c5d0f10b9","name":"lucidmonk","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/softwaresecurityconsulting.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/1d28454298361d57be31f2e919e9bd3c21f8686aa0651cefb33fbdcd403ff177?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1d28454298361d57be31f2e919e9bd3c21f8686aa0651cefb33fbdcd403ff177?s=96&d=mm&r=g","caption":"lucidmonk"},"url":"https:\/\/softwaresecurityconsulting.com\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=\/wp\/v2\/posts\/5","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5"}],"version-history":[{"count":7,"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=\/wp\/v2\/posts\/5\/revisions"}],"predecessor-version":[{"id":49,"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=\/wp\/v2\/posts\/5\/revisions\/49"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=\/wp\/v2\/media\/55"}],"wp:attachment":[{"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/softwaresecurityconsulting.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}