This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
4. - McGraw on Film: Read more in this section
- On the development of secure software through better coding
- On the evolution of the BSIMM maturity framework for software security
- On how to get a handle on your software security process via BSIMM
- On why you should use the VBSIMM model when buying software
- On the top mobile app security issues
- On how and why there's been improvement in the application development process
Explore other sections in this guide:
McGraw: Use VBSIMM software security model when buying softwareDate: Apr 11, 2013
SAN FRANCISCO -- Plenty of enterprises develop software themselves, but just as many buy software from third-party vendors. But how can an organization quickly and accurately vet the security of someone else's software?
Software security pioneer Gary McGraw has the answer. Building off of his Building Security In Maturity Model, or BSIMM, which measures secure software development processes, he's created the VBSIMM software security model, applying the same methodology to third-party vendor software security assessments.
"If you think of the BSIMM as a measuring stick for software security," said McGraw, "this is kind of like a ruler … and you can hold that up against your vendors."
In this video, McGraw -- Cigital Inc. CTO and co-author of Building Secure Software, the industry's first book on software security -- discusses the genesis of the VBSIMM maturity model and how major corporations like JPMorgan Chase use it to hold software vendors to a higher standard and ensure that expensive enterprise applications don't mar their customers with flawed code.