Software Integrity Blog


5 lessons learned from BSIMM6

By providing actual measurement data from the field, the Building Security In Maturity Model (BSIMM) makes it possible to build a long-term plan for a software security initiative (SSI) and track progress against that plan. The BSIMM is dedicated to quantifying the activities carried out by real SSIs in order to help the wider software security community plan, carry out and measure initiatives on their own. Here are 5 lessons that can be taken from the recently released BSIMM6.

See what’s new in the latest BSIMM report.

5 eye-opening lessons learned from BSIMM6

5 eye-opening lessons learned from BSIMM6

The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is a study of real-world software security initiatives. Quantifying the practices carried out by real software security initiatives helps security teams to plan, carry out, and measure initiatives of their own.

After reviewing the software security initiatives (SSI) of over 100 companies, we’ve uncovered several undeniable trends and truths. Here are the top 5 things you should keep in mind as you build or tweak your program.

1. There are no special snowflakes.

When it comes to deciding which activities will make your software secure, the 112 security activities described in BSIMM fit every organization regardless of their industry. What works to keep financial services firms secure will work for retailers, manufacturers, and you.

2. Your firm’s risk drivers are unique.

While the BSIMM defines what firms are doing to make software secure, the risk drivers in any given firm will result in unique prioritization, scale, implementation, depth, breadth, and other characteristics for the activities implemented. Doing this well is a foundational necessity for ongoing cost-effectiveness and success.

3. Your software security team can’t do everything.

Unless your firm is very small, there isn’t a single group within the organization that touches every tool, system, configuration, or entry point. Provide everyone with awareness training and recruit other people or teams to help you secure the nooks and crannies of your organization.

4. Security still needs people.

While you can buy any number of tools that go ‘ding’ in the night when vulnerabilities are discovered, someone has to be there to read the results, prioritize findings, and fix the issues. Good people, not tools, make the difference.

5. Software security is more than penetration testing.

Just like a tool can’t solve the software security problem by itself, neither can penetration testing. The BSIMM highlights 12 core activities every strong SSI does and 100 more that should be considered. Learn what they are at

By providing actual measurement data from the field, the BSIMM makes it possible to build a long-term plan for a software security initiative and track progress against that plan.

Learn how you can become a part of the BSIMM community. Visit


More by this author