The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is a study of existing software security initiatives. By quantifying the practices of many different organizations, we can describe the common ground shared by many as well as the variations that make each unique.
BSIMM is not a how-to guide, nor is it a one-size-fits-all prescription. Instead, it is a reflection of software security.
The BSIMM is now on its ninth iteration. But what was the motivation behind its genesis?
It all started around 2006 when multiple software security methodologies began springing up like mushrooms after a spring rain. Gary McGraw and Sammy Migues of Synopsys Software Integrity Group (then of Cigital) noticed that these methodologies had one key thing in common—they were based on opinion, not fact.
After debating a solution for some time, Gary and Sammy, along with Brian Chess (then of Fortify), began to develop a descriptive model stating what software security people were actually doing, instead of what they “ought to be doing.”
To start, Gary, Sammy, and Brian selected nine firms that were very advanced in software security to be part of their scientific study. The three spent many hours and lots of airplane miles gathering data, conducting a series of in-person interviews, and developing a model that described the data. From this work sprung the first BSIMM, published in 2009.
Because the original data-driven, descriptive approach taken by the BSIMM was designed to be adaptive, the BSIMM has been adjusted over the years to cohere with the data. In general, the model has remained consistent over nine iterations. The purpose of the model also has remained the same: describe what is happening in software security initiatives, rather than prescribe what “should happen” based on opinion alone.
To quantify the activities carried out by real software security initiatives to help the wider software security community plan, carry out, and measure initiatives of their own.
We understand that not all organizations need to achieve the same security goals, but we believe all organizations can benefit from using the same measuring stick.
To create our descriptive model, we use a “just the facts” approach that focuses on simply reporting observations.
By providing actual measurement data from the field, the BSIMM makes it possible to build a long-term plan for a software security initiative and track progress against that plan.
Our model comprises 116 activities grouped into four domains: Governance, Intelligence, SSDL Touchpoints and Deployment.
There are 120 participating firms in the BSIMM study. They come from many verticals, including financial services, independent software vendors, tech, healthcare, and consumer electronics. We have measured more than 167 firms with the BSIMM and add more every month.
The BSIMM is meant for use by anyone responsible for creating and executing a software security initiative.
Become a member of a private group to discuss solutions and strategies with others who face the same issues.
Data for the BSIMM is captured by Synopsys. Resources for data analysis are provided by Oracle.
