McGraw: Use VBSIMM software security model when buying softwareDate: Apr 11, 2013
SAN FRANCISCO -- Plenty of enterprises develop software themselves, but just as many buy software from third-party vendors. But how can an organization quickly and accurately vet the security of someone else's software?
Software security pioneer Gary McGraw has the answer. Building off of his Building Security In Maturity Model, or BSIMM, which measures secure software development processes, he's created the VBSIMM software security model, applying the same methodology to third-party vendor software security assessments.
"If you think of the BSIMM as a measuring stick for software security," said McGraw, "this is kind of like a ruler … and you can hold that up against your vendors."
In this video, McGraw -- Cigital Inc. CTO and co-author of Building Secure Software, the industry's first book on software security -- discusses the genesis of the VBSIMM maturity model and how major corporations like JPMorgan Chase use it to hold software vendors to a higher standard and ensure that expensive enterprise applications don't mar their customers with flawed code.