hi sc-l, Third party software is a major risk category in most modern organizations (see Third-Party Software and Security<http://www.informit.com/articles/article.aspx?p=1809143>). We have been working on a BSIMM derivative called the vBSIMM to help manage third party software risk. Today we published a second, revised version of the vBSIMM. Instead of focusing on an individual applications, the vBSIMM approach focuses on software security initiative measurement.
After trying vBSIMM out at a major Wall Street bank as a pilot and then discussing the results of that study during the second BSIMM Conference last Fall, we have completely revised the vBSIMM model. Read about the changes here: vBSIMM Take Two (BSIMM for Vendors Revised)<http://www.informit.com/articles/article.aspx?p=1832574> (January 26, 2012) The vBSIMM is now graduating from pilot to full fledged use at the bank where we first rolled it out. We welcome others to make us of it as well. For more on the relation between the vBSIMM and the real BSIMM, see http://bsimm.com/vbsimm/. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________