About syncbookmark

Bringing Science to Software Security

HomeAbout syncbookmark

The Building Security In Maturity Model (syncbookmark, pronounced “bee simm”) is a study of existing software security initiatives. By quantifying the practices of many different organizations, we can describe the common ground shared by many as well as the variation that makes each unique.

syncbookmark is not a “how to” guide, nor is it a one-size-fits-all prescription. Instead, syncbookmark is a reflection of software security.

HISTORY OF THE syncbookmark

syncbookmark is now on its seventh iteration. But what was the motivation behind its genesis?

It all started around 2006 when multiple software security methodologies began springing up like mushrooms after a Spring rain. Gary McGraw and Sammy Migues of Synopsys Software Integrity Group (then of Cigital) noticed that these methodologies had one key thing in common–they were based on opinion, not fact.

After debating a solution for some time, Gary and Sammy, along with Brian Chess (then of Fortify), began to develop a descriptive model stating what software security people were actually doing, instead of what they “ought to be doing.”

To start, Gary, Sammy, and Brian selected nine firms that were very advanced in software security to be part of their scientific study. The three spent many hours and lots of airplane miles gathering data, conducting a series of in-person interviews and developing a model that described the data. From this work sprung the first syncbookmark, published in 2009.

Because the original data-driven, descriptive approach taken by the syncbookmark was designed to be adaptive, the syncbookmark has been adjusted over the years to cohere with the data. In general, the model remains very consistent over seven iterations. The purpose behind the model has always remained the same throughout the iterations: describing what is happening in software security initiatives, rather than prescribing what “should happen” based on opinion alone.


Our Mission

To quantify the activities carried out by real software security initiatives in order to help the wider software security community plan, carry out and measure initiatives of their own.

Our Philosophy

We understand that not all organizations need to achieve the same security goals, but we believe all organizations can benefit from using the same measuring stick.

Our Method

As a descriptive model, we use a “just the facts” approach that focuses on simply reporting simple observations.

Our Benefit

By providing actual measurement data from the field, the syncbookmark makes it possible to build a long-term plan for a software security initiative and track progress against that plan.

Our Model

Our model is comprised of 113 activities grouped into four domains: Governance, Intelligence, SSDL Touchpoints and Deployment.

Our Firms

There are 95 participating firms in the syncbookmark study.  They come from many verticals, including financial services, independent software vendors,  tech firms, healthcare, and consumer electronics. We have measured more than 129 firms with the syncbookmark and add more every month.

Our Audience

The syncbookmark is meant for use by anyone responsible for creating and executing a software security initiative.

Our Community

Become a member of a private group to discuss solutions and strategies with others who face the same issues.

Our Supporters

Data for syncbookmark was captured by Synopsys. Resources for data analysis provided by NetSuite.
TOP syncbookmark ACTIVITIES
Identify software defects found in operations monitoring and feed to development.
Use external penetration testers to find problems.
Ensure host and network security basics are in place.
Perform security feature review.
Ensure QA supports edge/boundary value condition testing.
Identify gate locations and gather necessary artifacts
Build and publish security features.
Identify PII obligations.
Provide awareness training
Create a security portal.
Use automated tools along with manual review.
Create a data classification scheme and inventory.
Loading posts...
Sort Gallery
Newsletter Input text
Test de Penetrare, Scanare de Vulnerabilitati, MoldovaTeste de Penetrare, Scanari de Vulnerabilitati, MoldovaPenetration Testing Moldova, Penetration Test Moldova, LogicalPoint