Software Integrity Blog


[Infographic] 7 truths to improve your software security program

The Building Security In Maturity Model (BSIMM) can help you improve your software security program, regardless of industry, size, or application mix.

Improve your software security program with the BSIMM

Download the infographic PDF.

How high can you soar?

7 undeniable truths to improve your software security program

Ten years of data gathered from 100+ initiatives provide a bird’s-eye view of software security. The Building Security In Maturity Model (BSIMM) can help you improve your software security program regardless of your industry, your size, or the mix of your applications.

1. Gain altitude in stages

Security initiatives commonly start with straightforward activities, such as a security feature review, before they take on those that require more coordination, such as creating customized rulesets. You can use the BSIMM to assess your level of maturity.

2. Move at your own speed

The rate of acceleration along the maturity curve is not the same for every organization or even every industry. You must launch and improve your software security program based on your own risk drivers, budget, and priorities.

3. A pilot is essential

No organization can have a successful software security initiative without leadership. Mature initiatives are typically led by a senior executive and managed by a software security group that establishes governance, policy, and standards.

4. The right crew is key

Many organizations rely on security testing tools, but mature organizations know tools alone are not enough to reduce risk. It takes experts to interpret results, prioritize findings, and fix issues.

5. Broad support eases the ride

Mature initiatives have support from people in functions other than the security team, such as developers, architects, and product owners. You must develop a “satellite” crew to raise awareness and ensure security policies are carried out.

6. Conditions will change

Years of BSIMM data show that organizations change their mix of security strategies, adding new activities and replacing others, as they navigate. It’s essential to stay up-to-date and regularly evaluate your own tactics.

7. Chart your own course

The BSIMM shows that while companies begin their journey with common practices, as they ascend, they pick and choose among 119 software security activities to reduce risk. After you see how you compare, you can use the BSIMM to make decisions that fit your company.

Don’t just drift in the wind

To navigate to your final destination, you must know your launch point and accurately assess the conditions. The BSIMM can’t guarantee a smooth ride, but it can make it easier to ascend the maturity curve and improve your software security program, even when the wind is blowing. While these truths are universal, they scratch the surface of what the BSIMM can reveal. A BSIMM assessment compares your software security initiative against your peers, so you can identify strengths, uncover gaps, and determine strategies that fit your own organization.

Get the latest BSIMM report


More by this author