Security Features & Design (BSIMM6 Part 6)

"If I have seen further than others, it is by standing upon the shoulders of giants." - Isaac Newton


The Security Features & Design practice is the second of three practices in the BSIMM6 Intelligence domain. The goal of this practice is to create usable security patterns for major security controls that are in-line with the standards defined by the organisation. More information about the Security Features & Design practice can be found here. The full BSIMM6 is available under the creative commons license and can be downloaded at

Practice: Security Features & Design

The intelligence domain contains practices that result in collections of corporate knowledge that are utilised while carrying out software security activities throughout the organization. Security Features & Design, the second of three practices in the intelligence domain is about preventing the root cause of core vulnerability classes by making available standardized, vetted and re-usable security controls and security design patterns throughout the organization.

In the first part of this blog series it was established that BSIMM6 activities are categorized in maturity levels ranging from low maturity (level 1) to high maturity (level 3). This article focuses on the foundational activities (maturity level 1), however if you want to learn more about the activities in maturity level 2 and 3 visit the Security Features & Design section at the official BSIMM6 website.

Build and publish security features

Out of all activities in the Security Feature & Design practice, this one has been observed in most organizations.
If you are not doing this activity yet, then it is a good place to start.

The members of the software security group (SSG) facilitate collection of solutions to core security controls such as authentication, authorization, cryptography and audit logs. These solutions will be vetted and pre-approved and made available to the development teams. Besides promoting highly secure solutions, development efforts are reduced substantially by having ready-to-go, re-usable security controls.

Engage SSG with architecture 

The main focus of this activity is to include security in architecture discussions, just like concerns about performance, availability and scalability. 

Start. Stop. Continue.

Consider the following strategy:

  • Start: Including security experts in architecture discussions.
  • Stop: Reinventing the wheel by creating security controls from scratch.
  • Continue: Identifying ways to increase the efficiency of the development organization by re-using vetted and approved solutions.

How does your software security initiative compare with your industry peers? Contact us to find out.