No matter what level you’re at today, it’s always useful to benchmark your program against what others are doing.
From 2013 to 2016, I delivered BSIMM assessments at Cigital (now Synopsys). I met with dozens of organizations around the world, evaluating their software security programs and providing recommendations for how to take their programs to the next level.
If you’re not familiar with BSIMM, here’s the deal:
It’s a research study and strategic decision-making tool for executives.
Many organizations use the BSIMM to benchmark their application security programs against other organizations in the world and in their particular industry vertical.
They also use it to answer the question, “What should we do next?”
There are a whopping 113 application security activities in the model.
One of the most commonly observed activities is “Use external penetration testers to find problems” but the BSIMM does not provide specific recommendations about how to evaluate a pen test program or what to do to take a pen test program to the next level.
For many organizations, penetration testing is a foundational component of their application security program. While conducting a BSIMM assessment, I was often asked by clients,
“How well is my pen test program performing?”
“How do I take my pen test program to the next level?”
I recently published a Pen Test Self-Assessment Questionnaire to help individuals and organizations answer these questions. You can literally complete the survey in less than 10 minutes and immediately receive a score and tailored recommendations for your pen test program.
We will be using the data collected from this survey to publish a report on the state of application security pen testing. At that time, you’ll be able to compare yourself to the other organizations that completed this questionnaire.
Do you have 10 minutes right now?