On March 5, we released the Building Security in Maturity Model (BSIMM), the industry's first-ever set of benchmarks for developing and growing an enterprise-wide software security program. Based on in-depth interviews with leading enterprises such as Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo and Depository Trust Clearing Corporation (DTCC), the BSIMM pulls together a set of activities practiced by nine of the most successful software security initiatives in the world. The BSIMM is available under a creative commons license, so look for ways to incorporate it into your work! Here’s the BSIMM site. 

The cryptographic community is so good at weeding out the less secure algorithms and choose from the remainder, that The National Institutes of Standards and Technology (NIST) is holding a competition to choose a design for the Secure Hash Algorithm version 3 (SHA-3). A few members of Fortify's Security Research group decided to weigh in. Visit our blog to read about vulnerabilities and other bugs we found in the SHA-3 reference implementations. 

Also, don’t miss this month’s feature article, Governing Appsec Effectively. Barmak Meftah discusses compliance, development and application security. 

Have you ever had a boss who played the blame game? Our readers give their thoughts and opinions on how to address this in "How to handle a sneaky boss?"

Developers a security problem? This software engineer would like you to share your top three security tips when you teach developers about security.

Please let us know how successful we are at including articles relevant to you by taking a one-minute reader survey. You could win a complimentary copy of Secure Programming with Static Analysis. Congratulations to Debbie Christofferson, information security manager at the Apollo Group, for being this issue's winner! 

If you would like to unsubscribe from this newsletter, please click on link at the bottom of the page.