About the BSIMM

Bringing science to software security

The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is a study of existing software security initiatives. By quantifying the practices of many different organizations, we can describe the common ground shared by many as well as the variations that make each unique.

BSIMM is not a how-to guide, nor is it a one-size-fits-all prescription. Instead, it is a reflection of software security.

HISTORY OF THE BSIMM

In 2006, it was clear that organizations were taking many different paths to the destination of software security. The experts at the Synopsys Software Integrity Group (then Cigital) set out to gather data on this phenomenon to analyze how firms with advanced software security initiatives (SSIs) were addressing the challenge of securing their software.

The research team contacted nine firms that were very advanced in software security. They gathered the baseline data by conducting in-person interviews that dug into the daily processes of each organization’s software security group (SSG) and the affiliated people doing the actual work.

The result was a descriptive model that represented the findings from this data, providing organizations a baseline of activities for software security. Further, the model continued to evolve as the security landscape grew in complexity and importance. New data is collected and analyzed both from organizations new to the community and from members maturing their programs.

The current data pool has grown to over 100 organizations, making the BSIMM a truly living document that changes as we observe and analyze. As development methodologies advance, new threats emerge, and security methods adapt, the BSIMM evolves in step.

The value of the published BSIMM report was immediate and the participating organizations wanted to meet to share their experiences. From this, the BSIMM Community was born, and the annual BSIMM Conference was conceived to provide a place where the community could openly exchange ideas and learn from one another.

As the BSIMM reaches its 10th iteration, it continues to be an important resource for everyone involved in software security.

WHAT WE’RE ABOUT

Our mission

To quantify the activities carried out by real software security initiatives to help the wider software security community plan, carry out, and measure initiatives of their own.

Our philosophy

We understand that not all organizations need to achieve the same security goals, but we believe all organizations can benefit from using the same measuring stick.

Our method

To create our descriptive model, we use a “just the facts” approach that focuses on simply reporting observations.

Our benefit

By providing actual measurement data from the field, the BSIMM makes it possible to build a long-term plan for a software security initiative and track progress against that plan.

Our model

Our model comprises 119 activities grouped into four domains: GovernanceIntelligenceSSDL Touchpoints and Deployment.

Our firms

There are 122 participating firms in the BSIMM study. They come from many verticals, including financial services, independent software vendors, tech, healthcare, and consumer electronics. We have measured more than 185 firms with the BSIMM and add more every month.

HISTORY OF THE BSIMM

Our audience

The BSIMM is meant for use by anyone responsible for creating and executing a software security initiative.

Our community

Become a member of a private group to discuss solutions and strategies with others who face the same issues.

Our supporters

Data for the BSIMM is captured by Synopsys. Resources for data analysis are provided by Oracle.

TOP BSIMM ACTIVITIES

Ensure host and network security basics are in place.
Use external penetration testers to find problems.
Identify gate locations; gather necessary artifacts.
Identify PII obligations.
Perform security feature review.
Create or interface with incident response.
Identify software security defects found in operations monitoring and feed them back to development.
Ensure QA supports edge/boundary value condition testing.
Build and publish security features.
Feed results to the defect management and mitigation system.
Have emergency codebase response.
Track software bugs found in operations through the fix process.