Software Integrity Blog

BSIMM9 by the numbers

Over the past decade, we’ve studied dozens of security activities performed by real-life firms. Take a look at some key facts from this year’s BSIMM report.

Over the past ten years, we’ve studied dozens of security activities performed by real-life firms to measure the software security practices used in organizations of different sizes, in different verticals, and at different levels of maturity. Quantifying these practices in the Building Security In Maturity Model (BSIMM) allows us to describe the common areas shared by many organizations, as well as the variations that make each unique. The BSIMM isn’t a how-to guide or a one-size-fits-all prescription. It’s a reflection of real software security initiatives taking place around the world. Take a look at the infographic below to see some key facts about this year’s report, BSIMM9.

Learn how the BSIMM brings science to software security.

BSIMM9 by the numbers

10: Number of years BSIMM has been around (started in 2008)

167: Total number of firms studied by BSIMM

116: Number of software security activities measured by BSIMM

10: Average point increase seen in the raw scores of the 42 firms re-measured

62: Percent of BSIMM participants that incorporate BSIMM’s 12 core activities into their SSI

100: Percent of BSIMM participants that have an SSI and agree that it’s key to the success of their initiative

1:75: Average ratio of SSG members to developers

13.3: Average number of people in an SSG

117: Average number of people in a satellite

90: Percent of the 10 highest-scoring firms that have a satellite

0: Percent of the 10 lowest-scoring firms that have a satellite