Here are answers to some of the most commonly asked questions about BSI.
- What is the purpose of BSI?
- Who is BSI intended for?
- How is the content organized?
- How does the BSI team encourage adoption of secure software development best practices?
- How does BSI involve the software assurance community?
- What are the benefits of participating in BSI development activities?
- How can I make suggestions or provide other feedback about BSI?
- If I want additional information regarding the BSI Initiative, whom should I contact?
BSI seeks to alter the way that software is developed so it is less vulnerable to attack and security is "built in" from the start.
Build Security In is intended for use by software developers and software development organizations who want information and practical guidance on how to produce secure and reliable software. BSI content is based on the principle that software security is fundamentally a software engineering problem and must be addressed in a systematic way throughout the software development life cycle. BSI contains and links to a broad range of information about best practices, tools, guidelines, rules, principles, and other knowledge to help organizations build secure and reliable software.
This categorization is the result of the merger of an earlier collaboration framework with ideas presented in the life-cycle touch points diagram that accompanied articles by Dr. Gary McGraw, CTO of Cigital, Inc., in the June 2004 issue of IEEE Security and Privacy. Additional practices were identified in The National Cyber Security Taskforce's report on processes to produce secure software. The BSI team supplemented the taskforce's practices with process models and references to appropriate tools, measurement, and other resources.
The Additional Resources section of the site contains links to articles and reports related to BSI content areas but published elsewhere, an annotated bibliography of related books, and links to related websites.
Even with deep technical content, a business case is required to explain the value of adopting secure software development best practices, and educational materials and efforts are needed to inform consumers about the need for software assurance. The BSI team uses opportunities at the Carnegie Mellon CyLab industrial partner meetings, DHS workshops, and other events to make the case for software assurance and to encourage sharing of case study and ROI information. The BSI team participates in other activities to share BSI content and any other case study or ROI data, with the intent to jointly grow the usefulness and relevance of this information.
Members of the software assurance community are invited to submit articles for publication on the Build Security In website or to review submitted articles.
To inquire about authoring or reviewing content for BSI, see the Call for Authors and Reviewers or email .
Authors for Build Security In have the opportunity to participate in a community effort to develop material that will be widely viewed by software developers and managers who are interested in developing secure products. Author names and affiliations will appear on the site, giving visibility to the authors and their organizations in the community.
Reviewers have the opportunity to review material for Build Security In, supporting the goal of community consensus. Reviewers, with their permission, will be acknowledged on the site and in the community.
To provide feedback on the content or other aspects of BSI, send an email to.
Contact Michael Greenwood of the SEI at 703-908-8237 or email mgreenwd [at] sei.cmu.edu.