Collective Intelligence Podcast, Gary McGraw on BSIMM9 and Supply Chain Security
The Building Security In Maturity Model, better known as BSIMM, has become the de facto tool for measuring software security in the enterprise. One of its architects, Gary McGraw, vice president of security technology at Synopsys, is a software security pioneer having written numerous books on the topic. He joins editorial director Mike Mimoso on this episode of the Collective Intelligence podcast to discuss BSIMM9, the latest version of the report and some of the trends that emerged out of the data collected from 120 contributing companies.
McGraw identified one takeaway as the architectural convergence among internet of things vendors, independent software vendors, and cloud vendors. Similar secure development practices have emerged between the three vertical markets, with McGraw calling it a “natural convergence.”
Driving this convergence, he said, is the distributed nature of these three separate markets requiring similar approaches in securing them. In concert, DevOps continues to inch forward as a priority as organizations release updates quicker and continuous integration is becoming a reality for many development shops. The integration of security into DevOps is another emerging trend of note, the report says.
BSIMM9 also features for the first time the inclusion of nine retail companies as contributors, and McGraw notes that retail’s software security practices are already ahead of its healthcare counterparts. One reason is the rash of payment card breaches to hit major retailers in the last five years driving those organizations to lock down security practices.
Finally, McGraw discusses the state of supply chain security in the enterprise and the risks posed by interdiction at a supplier, and what kind of visibility enterprises can demand contractually into a vendor’s code review and other secure development practices.
The Collective Intelligence Podcast, presented by Flashpoint and hosted by Editorial Director Mike Mimoso, features regular interviews with a diverse set of industry experts and Flashpoint analysts on the latest information security news and industry trends.
Michael Mimoso brings over a decade of experience in IT security news reporting to Flashpoint. As Editorial Director, he collaborates with marketing, analyst, and leadership teams to share the company’s story. Prior to Flashpoint, Mike was as an Editor of Threatpost, where he covered security issues and cybercrime affecting businesses and end-users.
Prior to joining Threatpost, Mike was Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won several ASBPE national and regional writing awards. In addition, Information Security was a two-time finalist for national magazine of the year. He has been writing for business-to-business IT publications for 11 years, with a primary focus on information security.
Earlier in his career, Mike was an editor and reporter at several Boston-area newspapers. He holds a bachelor’s degree from Stonehill College in North Easton, Massachusetts.