The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is a study of existing software security initiatives. By quantifying the practices of many different organizations, we can describe the common ground shared by many as well as the variations that make each unique.
BSIMM is not a how-to guide, nor is it a one-size-fits-all prescription. Instead, it is a reflection of software security.
In 2006, it was clear that organizations were taking many different paths to the destination of software security. The experts at the Synopsys Software Integrity Group (then Cigital) set out to gather data on this phenomenon to analyze how firms with advanced software security initiatives (SSIs) were addressing the challenge of securing their software.
The research team contacted nine firms that were very advanced in software security. They gathered the baseline data by conducting in-person interviews that dug into the daily processes of each organization’s software security group (SSG) and the affiliated people doing the actual work.
The result was a descriptive model that represented the findings from this data, providing organizations a baseline of activities for software security. Further, the model continued to evolve as the security landscape grew in complexity and importance. New data is collected and analyzed both from organizations new to the community and from members maturing their programs.
The current data pool has grown to over 100 organizations, making the BSIMM a truly living document that changes as we observe and analyze. As development methodologies advance, new threats emerge, and security methods adapt, the BSIMM evolves in step.
The value of the published BSIMM report was immediate and the participating organizations wanted to meet to share their experiences. From this, the BSIMM Community was born, and the annual BSIMM Conference was conceived to provide a place where the community could openly exchange ideas and learn from one another.
As the BSIMM reaches its 11th iteration, it continues to be an important resource for everyone involved in software security.
Our mission is to quantify the activities carried out by real software security initiatives, and to help the wider software security community plan, carry out, and measure initiatives of their own.
We understand that not all organizations need to achieve the same security goals, but we believe all organizations can benefit from using the same measuring stick.
To create our descriptive model, we use a “just the facts” approach that focuses on simply reporting observations.
By providing actual measurement data from the field, the BSIMM makes it possible to build a long-term plan for a software security initiative and track progress against that plan.
Our model comprises 121 activities grouped into four domains:
There are 130 participating firms in the BSIMM study. They come from many verticals, including financial services, independent software vendors, tech, healthcare, and consumer electronics. We have measured more than 200 firms with the BSIMM and add more every month.
The BSIMM is meant for use by anyone responsible for creating and executing a software security initiative.
You can become a member of a private group to discuss solutions and strategies with others who face the same issues.
Data for the BSIMM is captured by Synopsys.
