The Building Security In Maturity Model (BSIMM) can help you improve your software security program, regardless of industry, size, or application mix.
Ten years of data gathered from 100+ initiatives provide a bird’s-eye view of software security. The Building Security In Maturity Model (BSIMM) can help you improve your software security program regardless of your industry, your size, or the mix of your applications.
Security initiatives commonly start with straightforward activities, such as a security feature review, before they take on those that require more coordination, such as creating customized rulesets. You can use the BSIMM to assess your level of maturity.
The rate of acceleration along the maturity curve is not the same for every organization or even every industry. You must launch and improve your software security program based on your own risk drivers, budget, and priorities.
No organization can have a successful software security initiative without leadership. Mature initiatives are typically led by a senior executive and managed by a software security group that establishes governance, policy, and standards.
Many organizations rely on security testing tools, but mature organizations know tools alone are not enough to reduce risk. It takes experts to interpret results, prioritize findings, and fix issues.
Mature initiatives have support from people in functions other than the security team, such as developers, architects, and product owners. You must develop a “satellite” crew to raise awareness and ensure security policies are carried out.
Years of BSIMM data show that organizations change their mix of security strategies, adding new activities and replacing others, as they navigate. It’s essential to stay up-to-date and regularly evaluate your own tactics.
The BSIMM shows that while companies begin their journey with common practices, as they ascend, they pick and choose among 119 software security activities to reduce risk. After you see how you compare, you can use the BSIMM to make decisions that fit your company.
To navigate to your final destination, you must know your launch point and accurately assess the conditions. The BSIMM can’t guarantee a smooth ride, but it can make it easier to ascend the maturity curve and improve your software security program, even when the wind is blowing. While these truths are universal, they scratch the surface of what the BSIMM can reveal. A BSIMM assessment compares your software security initiative against your peers, so you can identify strengths, uncover gaps, and determine strategies that fit your own organization.