Here you will find frequently asked questions about the BSIMM. For the full and unexpurgated model, download the BSIMM document here.
FAQ
Who needs to worry about software security?
What makes the BSIMM so special?
Who's actually responsible for software security?
Yikes, 119 activities sounds like a lot!
Why are some activities highlighted?
I'm more of a visual person. What does this study look like graphically?
Is everybody in the study equally good at software security?
What should I do with the BSIMM?
What is a software security group? Do I have to have one?
If the BSIMM is so important, how has the world gotten along without it for so long?
I get it, but my boss doesn't. How do software security initiatives get off the ground?
What are a few key themes highlighted by the latest BSIMM study?
What is the BSIMM?
BSIMM (pronounced “bee simm”) is short for Building Security In Maturity Model. The BSIMM is a study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time.
Why software security?
Software security is about building software to be secure even when it’s under attack. As we’ve learned from years of reviewing network security breaches, protecting software is much easier if the software is built with security in mind. Furthermore, security is a property and not a thing, so software security—being resistant to attack—involves much more than simply adding security features like encryption or passwords to software.
Who needs to worry about software security?
Organizations that develop and depend on software to do business (and everybody does these days) need software that won’t leak millions of identity records, call election results into question, incur huge legal liabilities, or allow secrets to fall into the wrong hands. The only way to make software trustworthy is to build security in. In short, everyone who relies on software needs the BSIMM.
What makes the BSIMM so special?
We built the BSIMM entirely from observations we made by studying real software security initiatives. The BSIMM does not tell you what you should do; instead, it tells you what everyone else is actually doing. This “observe and report” approach to software security science stands in sharp contrast to prescriptive approaches based on personal experience.
Whom did you study?
On average, the 122 firms whose data are included in BSIMM10 had practiced software security for 4.53 years at the time of their current assessment (with values ranging from less than a year to 19 years as of June 2019). All 122 firms agree that the success of their initiatives hinges on having an internal group devoted to software security—the software security group. SSG size on average is 13.1 people (smallest 1, largest 160, median 6.0), with an average satellite group of others (developers, architects, and people in the organization directly engaged in and promoting software security) consisting of 51.6 people (smallest 0, largest 1,500, median 0). The average number of developers among our participants was 3,804.2 people (smallest 5, largest 100,000, median 900), yielding an average percentage of SSG to development of 1.37% (median 0.61%).
All told, the BSIMM describes the work of 1,596 SSG members working with a satellite of 6,298 people to secure the software—nearly 175,000 applications—developed by 468,500 developers.
Who’s actually responsible for software security inside these companies?
The executives in charge of the software security initiatives we studied have a variety of titles. Examples include AVP Corporate Security, Director AppSec, Director Security Assurance, VP InfoSec, VP Application Risk Management, Senior Director Shared Services, Manager Software Security Engineering, Senior Director Enterprise Software, Senior Director Infrastructure and Security, Senior Director Global InfoSec Innovation, Global Head Security Testing, System Manager Systems Development, Security Architect, Executive Director Product Operations, Manager InfoSec Operations, Information Systems Manager, and Embedded Systems and Cybersecurity Leader. We observe a fairly wide spread in exactly where the SSG is situated. In particular, 71 of the 122 participating firms have SSGs that are run by a CISO or report to a CISO as their nearest senior executive. Seventeen of the firms report to a CTO as their closest senior executive, while six report to a CIO, seven to a CSO, four to a COO, two to a CRO, and one to a CAO. Fourteen of the SSGs report through some type of technology or product organization.
What’s in the BSIMM?
The BSIMM’s primary organizing feature is its software security framework. That framework comprises four domains—Governance, Intelligence, SSDL Touchpoints, Deployment—that hold 12 practices:
- Governance: Strategy & Metrics, Compliance & Policy, Training
- Intelligence: Attack Models, Security Features & Design, Standards & Requirements
- SSDL Touchpoints: Architecture Analysis, Code Review, Security Testing
- Deployment: Penetration Testing, Software Environment, Configuration Management & Vulnerability Management
Each practice holds its related activities, for a total of 119 activities in BSIMM10. During the study, we kept track of how many times each activity was observed. Here are the resulting data (to interpret individual activities, download a copy of the BSIMM document, which carefully describes each of the 119 activities).
For each activity, we give a description and one or more real examples to illustrate how organizations make it happen. The examples are never the only way to conduct a given activity, but we think they’re helpful for understanding software security reality.
Yikes, 119 security activities sounds like a lot!
Never fear! BSIMM is an observational model, which means that when we see a real activity being conducted in multiple participant organizations, we add it to the model. That means the model is cumulative, and no organization carries out all activities. Over the years, we’ve found a surprising amount of common ground between the financial services organizations, independent software vendors (ISVs), and IoT companies we studied, but their initiatives are by no means identical, and every organization is at least a little bit different. You wouldn’t implement a direct copy of a friend’s financial plan, so you shouldn’t expect to lift someone else’s software security initiative either. Use the BSIMM as a source of ideas and general guidance—as a trail guide rather than as a cookbook.
Why are some activities highlighted in the BSIMM scorecard?
The 12 highlighted activities are those we observed most often in each practice.
Twelve core activities
| Activity | Description |
| [SM1.4] | Identify gate locations and gather necessary artifacts. |
| [CP1.2] | Identify PII obligations. |
| [T1.1] | Conduct awareness training. |
| [AM1.2] | Create a data classification scheme and inventory. |
| [SFD1.1] | Build and publish security features. |
| [SR1.3] | Translate compliance constraints to requirements. |
| [AA1.1] | Perform security feature review. |
| [CR1.4] | Use automated tools along with manual review. |
| [ST1.1] | Ensure QA supports edge/boundary value condition testing. |
| [PT1.1] | Use external penetration testers to find problems. |
| [SE1.2] | Ensure host and network security basics are in place. |
| [CMVM1.1] | Create or interface with incident response. |
I’m more of a visual person. What does this look like graphically?
To give you some idea of the analysis capabilities provided by the BSIMM, here are three spider charts showing average maturity level over some number of organizations for the 12 practices. The first chart shows data from all BSIMM firms (which we call AllFirms). The second chart shows data from a sample firm plotted against AllFirms.
Three verticals in the BSIMM operate in highly regulated industries: insurance, healthcare, and financial services. In our experience, large financial services firms reacted first to regulatory changes of the 1990s and early 2000s and started their SSIs much earlier than insurance and healthcare firms. Even as the number of financial services firms doubled over the past five years with a large influx into the BSIMM data pool of newly started initiatives, the financial services SSG average age at assessment time remains 5.4 years, versus 3.2 years for insurance and 3.1 years for healthcare. Time spent maturing their collective SSIs shows up clearly in the side-by-side comparison. Although the insurance vertical includes some mature outliers, the data for these three regulated verticals show insurance generally lags behind in software security. We see a starker contrast in healthcare, with virtually no outliers.
Is everybody in the study equally good at software security?
No. By computing a score for each firm in the study, we can also take a look at relative maturity and average maturity for one firm against the others. The score range of the current pool is [5, 83].
We’re pleased that the BSIMM study continues to grow year after year. The overall dataset we report on here is nearly 38 times the size it was for the original publication. Note that once we exceeded a sample size of 30 firms, we began to apply statistical analysis, yielding statistically significant results.
Is the BSIMM a standard?
The BSIMM is not a standard like ISO 27001 or the official rules of table tennis. Instead, the BSIMM describes the set of activities practiced by the most successful software security initiatives in the world. In that sense, it is a de facto standard because it’s what organizations actually do. You could say we discovered it rather than dreamed it up.
What should I do with the BSIMM?
If you don’t have a software security initiative, you need one, and you can use the BSIMM to get started. The BSIMM can help you figure out how many people you’ll need in your software security group, what those people should do first, and what kinds of things they’ll probably be thinking about in a few years. If you already have a software security initiative, you can use the BSIMM to learn where you stand and make plans for the future.
How much does the BSIMM cost?
The BSIMM is free: We released it under a Creative Commons license. This means it’s as “open” as any other model, and you can take it and use it as inspiration for your own internal documents or use our published data to make a model of your very own. If you do those things, you’re required to tell people where the material came from. In other words, point back to the BSIMM. If you need a little help, contact us.
What is a software security group? Do I have to have one?
All BSIMM participants have an internal group devoted to software security—the software security group (SSG). We’ve never observed an organization carrying out the activities in the BSIMM successfully without an SSG. We noted an average ratio of SSG to development of 1.37% across the entire group of 122 organizations we studied. That means one SSG member for every 73 developers when we average the ratios for each participating firm. The SSG with the largest ratio was 20% and the smallest was 0.02%. To remind you of the particulars in terms of actual bodies, SSG size on average among the 122 firms was 13.1 people (smallest 1, largest 160, median 6.0).
If the BSIMM is so important, how has the world gotten along without it for so long?
For many software makers (including ISVs, banks, healthcare providers, governments, and others), software security has been a 21st-century concern at best, and a real executive-level concern only for 10 years at most. The collective “we” are just now reaching the point where we’ve accumulated enough experience to compare notes and talk about what works at a macro level. Secure programming, penetration testing, and the like have been topics for a while now, but the best methods for organizing humans into software security initiatives have taken longer to emerge. The BSIMM captures those activities into an observational model that is free and open for everyone to use.
I get it, but my boss doesn’t. How do software security initiatives get off the ground?
Over the years of the BSIMM study, we’ve seen the same kind of need to justify software security as we saw back in the days before IT security became mainstream. Back then, some executives simply didn’t get why firewalls were necessary or how intrusion detection helped prevent a small issue from becoming a big one or how simply teaching people how to think about security could actually change corporate culture. In those early days, even managers who understood the problem intellectually were sometimes sorely tempted to see just how long the firm could wait before it became their turn to be victimized.
In the BSIMM data pool, we’ve seen software security groups get their charter and funding under the following broad sets of circumstances:
- Executive management reacted to ongoing events, said, “We will make secure software,” and funded the means to do it (e.g., Bill Gates’ 2002 security memo at Microsoft, which directed that security be a primary consideration).
- An established upper management group responsible for some form of compliance determined—possibly after costly failures—that software security was a necessary expense in the firm’s governance processes.
- The IT security crew proved that a breach was not their fault but rather a result of a security vulnerability in the firm’s applications.
- An influential software security entrepreneur (e.g., in the CIO, CTO, legal, or governance groups) worked the system to get the ball rolling and then parlayed early successes into funding for an actual program.
- A development group organically developed a variety of “Sec” roles as part of their journey into DevOps (e.g., CloudSec, BuildSec, ContainerSec), and an executive standardized these efforts into a program to push knowledge and process into all development groups.
It seems that the hard part these days isn’t necessarily selling upper management on the problem but convincing them that you’re the right person to lead the solution and that you actually have a plan. If you’re responsible for software security—even if it’s just in the sense that you’re the person who would be fired after a major software security failure—and you can’t get resources for a program that will address the issues, quit now. Life is just too short for that kind of nonsense, and there are plenty of employers willing to make real use of your abilities.
What are a few key themes highlighted by the latest BSIMM study?
DevOps’ impact on software security. The BSIMM data show that the DevOps movement, along with growth in CI/CD tooling and digital transformation, is affecting the way that firms approach software security for their software portfolio.
The new wave of engineering-driven security culture. BSIMM10 is our first study to formally reflect changes in SSI culture, observed in a new wave of engineering-led software security efforts originating bottom-up in the development and operations teams rather than top-down from a centralized SSG. Engineering-led security culture has shown itself to be a means of establishing and growing meaningful software security efforts in some organizations, whereas it struggled to do so even just a few years ago.
The BSIMM can help you navigate the evolution of your SSI. The BSIMM data show that organizations improve demonstrably over time, and many achieve a level of maturity where they focus on the depth, breadth, and scale of the activities they’re conducting rather than always striving for more activities.
