Your organization is a well-known software development organization aiming to improve development processes and deliver quality software. Which of the following is the best instrument to benchmark how well your organization performs against other organizations in terms of security? (Wentz QOTD)
A. Capability Maturity Model Integration (CMMI)
B. Cybersecurity Maturity Model Certification (CMMC)
C. Building Security In Maturity Model (BSIMM)
D. Software Assurance Maturity Model (SAMM)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Building Security In Maturity Model (BSIMM).

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

CMMI, CMMC, BSIMM, and SAMM are good models to evaluate software development capability. However, BSIMM is the best to benchmark how well an organization performs against others in terms of security.

Building Security In Maturity Model (BSIMM) is a study of current software security initiatives or programs. It quantifies the application security (appsec) practices of different organizations across industries, sizes, and geographies while identifying the variations that make each organization unique.

BSIMM consists of:

An assessment that provides an objective, data-driven evaluation of an organization’s current appsec program

Membership in a community of security peers that offers collaboration, best practices, and exclusive content

Global conferences that include keynote sessions from security leaders, networking opportunities, and forums to exchange techniques and practices

An annual report (currently BSIMM12) that provides a data-driven analysis of real-world software security programs, practices, and activities

Source: BSIMM

Reference

• OWASP SAMM
• Cybersecurity Maturity Model Certification
• The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))
• About BSIMM
• Capability Maturity Model Integration (CMMI)

---

您的組織是一家知名的軟件開發組織，旨在改進開發流程並交付高質量的軟件。 以下哪一項是衡量您的組織在安全性方面與其他組織相比的表現的最佳工具？ (Wentz QOTD)
A. 能力成熟度模型集成 (CMMI)
B. 網絡安全成熟度模型認證 (CMMC)
C. 在成熟度模型中構建安全性 (BSIMM)
D. 軟件保障成熟度模型 (SAMM)