Building Security In Maturity Model (BSIMM) is a study of current software security initiatives or programs. It quantifies the application security (appsec) practices of different organizations across industries, sizes, and geographies while identifying the variations that make each organization unique.
BSIMM consists of:
In 2008, it was clear that organizations were taking different paths to securing their software. Research, data, and consultant experts in what is now the Synopsys Software Integrity Group set out to gather data on these different paths with the goal of examining organizations that were highly effective in software security, conduct in-person interviews with security professionals within the organizations, and publish their findings.
Since then, BSIMM has grown from nine participating companies to 128 in 2021, with nearly 3,000 software security group members and more than 6,000 satellite (security champions) members.
The annual BSIMM report—now in its 12th iteration—is a living document that changes and evolves based on real-world observations and analysis. As development methodologies advance, new threats emerge, and security methods adapt, the BSIMM data evolves in step.
BSIMM aims to quantify the activities carried out by real-world software security initiatives and to help the wider software security community plan, execute, and measure initiatives of their own.
We understand that not all organizations have the same security goals, but we believe all organizations can benefit from using the same measuring stick.
BSIMM uses a “just the facts” approach that focuses on documenting observations, rationalizing data from those observations, and creating a common language to describe and communicate software security initiatives.
By providing measurement data from the field, BSIMM makes it possible to build a long-term plan for any software security initiative and track its progress against the plan.