About the BSIMM

Bringing science to software security

The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is a study of existing software security initiatives. By quantifying the practices of many different organizations, we can describe the common ground shared by many as well as the variations that make each unique.

BSIMM is not a how-to guide, nor is it a one-size-fits-all prescription. Instead, it is a reflection of software security.


In 2006, it was clear that organizations were taking many different paths to the destination of software security. The experts at the Synopsys Software Integrity Group (then Cigital) set out to gather data on this phenomenon to analyze how firms with advanced software security initiatives (SSIs) were addressing the challenge of securing their software.

The research team contacted nine firms that were very advanced in software security. They gathered the baseline data by conducting in-person interviews that dug into the daily processes of each organization’s software security group (SSG) and the affiliated people doing the actual work.

The result was a descriptive model that represented the findings from this data, providing organizations a baseline of activities for software security. Further, the model continued to evolve as the security landscape grew in complexity and importance. New data is collected and analyzed both from organizations new to the community and from members maturing their programs.

The current data pool has grown to over 100 organizations, making the BSIMM a truly living document that changes as we observe and analyze. As development methodologies advance, new threats emerge, and security methods adapt, the BSIMM evolves in step.

The value of the published BSIMM report was immediate and the participating organizations wanted to meet to share their experiences. From this, the BSIMM Community was born, and the annual BSIMM Conference was conceived to provide a place where the community could openly exchange ideas and learn from one another.

As the BSIMM reaches its 11th iteration, it continues to be an important resource for everyone involved in software security.


Our mission

Our mission is to quantify the activities carried out by real software security initiatives, and to help the wider software security community plan, carry out, and measure initiatives of their own.

Our philosophy

We understand that not all organizations need to achieve the same security goals, but we believe all organizations can benefit from using the same measuring stick.

Our method

To create our descriptive model, we use a “just the facts” approach that focuses on simply reporting observations.

Our benefit

By providing actual measurement data from the field, the BSIMM makes it possible to build a long-term plan for a software security initiative and track progress against that plan.

Our model

Our model comprises 121 activities grouped into four domains: 

Our firms

There are 130 participating firms in the BSIMM study. They come from many verticals, including financial services, independent software vendors, tech, healthcare, and consumer electronics. We have measured more than 200 firms with the BSIMM and add more every month.


Our audience

The BSIMM is meant for use by anyone responsible for creating and executing a software security initiative.

Our community

You can become a member of a private group to discuss solutions and strategies with others who face the same issues.

Our supporters

Data for the BSIMM is captured by Synopsys. 


Ensure host and network security basics are in place
Implement life cycle governance
Review security features
Use external penetration testers to find problems
Identify personally identifiable information (PII) obligations
Perform security feature review.
Create or interface with incident response
Ensure QA performs edge/boundary value condition testing
Integrate and deliver security features
Identify software defects found in operations monitoring and feed them back to development
Use automated tools along with manual review
Feed results to the defect management and mitigation system
Feed results to the defect management and mitigation system