Sorry, not available in this language yet


Where application security leaders come to reduce their software risk

Building Security In Maturity Model (BSIMM) is a study of current software security initiatives or programs. It quantifies the application security (appsec) practices of different organizations across industries, sizes, and geographies while identifying the variations that make each organization unique.

BSIMM consists of:

  • An assessment that provides an objective, data-driven evaluation of an organization’s current appsec program
  • Membership in a community of security peers that offers collaboration, best practices, and exclusive content
  • Global conferences that include keynote sessions from security leaders, networking opportunities, and forums to exchange techniques and practices
  • An annual report (currently BSIMM13) that provides a data-driven analysis of real-world software security programs, practices, and activities


In 2008, it was clear that organizations were taking different paths to securing their software. Research, data, and consultant experts in what is now the Synopsys Software Integrity Group set out to gather data on these different paths with the goal of examining organizations that were highly effective in software security, conduct in-person interviews with security professionals within the organizations, and publish their findings.

Since then, BSIMM has grown from nine participating companies to 130 in 2022, with nearly 3,350 software security group members and more than 8,500 satellite (security champions) members.

The annual BSIMM report—now in its 13th iteration—is a living document that changes and evolves based on real-world observations and analysis. As development methodologies advance, new threats emerge, and security methods adapt, the BSIMM data evolves in step.


Our mission

BSIMM aims to quantify the activities carried out by real-world software security initiatives and to help the wider software security community plan, execute, and measure initiatives of their own.

Our philosophy

We understand that not all organizations have the same security goals, but we believe all organizations can benefit from using the same measuring stick.

Our method

BSIMM uses a “just the facts” approach that focuses on documenting observations, rationalizing data from those observations, and creating a common language to describe and communicate software security initiatives.

Our benefit

By providing measurement data from the field, BSIMM makes it possible to build a long-term plan for any software security initiative and track its progress against the plan.

Our model

The BSIMM model comprises 125 activities grouped into 12 practice areas across four domains: governance, intelligence, secure software development life cycle touchpoints, and deployment.

Our firms

Participating firms in BSIMM come from many industry verticals, including financial services, independent software vendors, technology, healthcare, and IoT. We have measured more than 200 firms since 2008 and add more every month.

Our audience

BSIMM can be used by anyone responsible for creating and executing a software security initiative or program, including chief information security officers, development executives, DevOps managers, developers, and appsec leaders and practitioners.

Our community

BSIMM provides a private community to engage with peers and get best practices and insights through blogs, webinars, and other exclusive content focused on securing software in today’s challenging business environment.

Our conferences

BSIMM global conferences include keynote sessions from security leaders, networking opportunities to connect with industry peers, and forums to exchange techniques and practices.