In 2006, it was clear that organizations were taking many different paths to the destination of software security. The experts at the Synopsys Software Integrity Group (then Cigital) set out to gather data on this phenomenon to analyze how firms with advanced software security initiatives (SSIs) were addressing the challenge of securing their software.
The research team contacted nine firms that were very advanced in software security. They gathered the baseline data by conducting in-person interviews that dug into the daily processes of each organization’s software security group (SSG) and the affiliated people doing the actual work.
The result was a descriptive model that represented the findings from this data, providing organizations a baseline of activities for software security. Further, the model continued to evolve as the security landscape grew in complexity and importance. New data is collected and analyzed both from organizations new to the community and from members maturing their programs.
The current data pool has grown to over 100 organizations, making the BSIMM a truly living document that changes as we observe and analyze. As development methodologies advance, new threats emerge, and security methods adapt, the BSIMM evolves in step.
The value of the published BSIMM report was immediate and the participating organizations wanted to meet to share their experiences. From this, the BSIMM Community was born, and the annual BSIMM Conference was conceived to provide a place where the community could openly exchange ideas and learn from one another.
As the BSIMM reaches its 11th iteration, it continues to be an important resource for everyone involved in software security.