Sorry, not available in this language yet
Here you will find frequently asked questions about BSIMM. For the full and unexpurgated model, download the BSIMM report here.
BSIMM (pronounced “bee simm”) is short for Building Security In Maturity Model. The BSIMM report is a study of real-world software security initiatives (SSIs) organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time.
Software security is about building software to be secure even when it’s under attack. As we’ve learned from years of reviewing network security breaches, protecting software is much easier if the software is built with security in mind. Furthermore, security is a property and not a thing, so software security—being resistant to attack—involves much more than simply adding security features like encryption or passwords to software.
Organizations that develop and depend on software to do business (and everybody does these days) need software that won’t leak millions of identity records, call election results into question, incur huge legal liabilities, or allow secrets to fall into the wrong hands. The only way to make software trustworthy is to build security in. In short, everyone who relies on software needs BSIMM.
We built BSIMM entirely from the observations we made by studying real software security initiatives. BSIMM doesn’t tell you what you should do; instead, it tells you what everyone else is actually doing. This “observe and report” approach to software security science stands in sharp contrast to prescriptive approaches based on personal experience.
There are 130 firms included in BSIMM13. On average, they had practiced software security for five years at the time of their current assessment. All 130 firms agree that the success of their initiatives hinges on having an internal group devoted to software security—a software security group (SSG). The average size of an SSG is 25.7 people (the smallest is 1, the largest is 892, and the median is 8.0). Often there is a satellite group of others (developers, architects, and people in the organization directly engaged in and promoting software security), and that group on average consists of 112 people (the median is 40). The average number of developers in participating organizations is 2,146 (the smallest is 25, the largest is 100,000, and the median is 800), yielding an average ratio of SSG to development of 5.11%.
All told, the BSIMM report describes the work of 11,850 SSG members helping about 410,000 developers do good security work on about 145,000 applications.
Don’t worry—BSIMM is an observational model, which means that when we see an activity being conducted in multiple participant organizations, we add it to the model. The model is cumulative, and no organization carries out all activities. Over the years, we’ve found a surprising amount of common ground between the financial services organizations, independent software vendors (ISVs), and IoT companies we studied, but their initiatives are by no means identical, and every organization is at least a little bit different. You wouldn’t implement a direct copy of a friend’s financial plan, so you shouldn’t expect to lift someone else’s software security initiative either. Use BSIMM as a source of ideas and general guidance—as a trail guide rather than as a cookbook.
The 12 activities listed in Figure 3 are those we observed most often in each practice.
Figure 3: Most common activity by practice
Figure 7: BSIMM13 Score Distribution
BSIMM is not a standard like ISO 27001 or the official rules of table tennis. Instead, BSIMM describes the set of activities practiced by the most successful software security initiatives in the world. In that sense, it is a de facto standard because it’s what organizations actually do. You could say we discovered it rather than invented it.
If you don’t have a software security initiative, you need one. And you can use BSIMM to get started: It can help you figure out how many people you’ll need in your software security group, what those people should do first, and what kinds of things they’ll probably be thinking about in a few years. If you already have a software security initiative, you can use BSIMM to learn where you stand and make plans for the future.
BSIMM is free: We released it under a Creative Commons license. This means it’s as “open” as any other model, and you can take it and use it as inspiration for your own internal documents, or use our published data to make a model of your own. If you do those things, you’re required to tell people where the material came from. In other words, point back to BSIMM. If you need a little help, contact us.
All BSIMM participants have an internal group devoted to software security—the software security group (SSG). We’ve never observed an organization carrying out the activities in BSIMM successfully without an SSG. We noted an average ratio of SSG to development of 3.01% across the 130 organizations we studied. For organizations with 800 developers or fewer, the largest ratio observed was 51.4% and the smallest was 5.11%. For organizations with more than 800 developers, the largest ratio observed was 14.9% and the smallest was 1.03%. To remind you of the particulars in terms of actual bodies, SSG size on average among the 130 firms is 25.7 people (the smallest is 1, the largest is 892, and the median is 8).
For many software makers (including ISVs, banks, health care firms, governments, and others), software security has been a twenty-first-century concern at best, and an executive-level concern for 10 years at most. The collective “we” are just now reaching the point where we’ve accumulated enough experience to compare notes and talk about what works at a macro level. Secure programming, penetration testing, and the like have been topics for a while now, but the best methods for organizing software security initiatives have taken longer to emerge. BSIMM captures those activities into an observational model that is free and open for everyone to use.