Based on research with companies such as Aetna, HSBC, Cisco, and more, the Building Security In Maturity Model (BSIMM) measures software security. The BSIMM (pronounced “bee simm”) is a study of existing software security initiatives. By quantifying the practices of different organizations, the BSIMM can describe common software security practices as well as unique variations.
The organizations that provided the BSIMM data for the latest version of the model come from verticals including financial services, independent software vendors, technology, healthcare, cloud, Internet of Things, insurance, retail, telecommunications, security, and energy. While some organizations prefer to participate in BSIMM research anonymously, those companies that have agreed to be identified can be found on the BSIMM membership page.
The most recent version of the BSIMM describes the work of nearly 3,000 software security group members working to secure the software developed by 400,000 developers.
The BSIMM initiative began in 2006 when members of Cigital (now part of Synopsys Software Integrity Group) began to develop a model to describe software security initiatives. Nine firms were selected as part of the initial study. The first BSIMM was published in 2009. The purpose of the BSIMM model is to describe what actually happens in software security initiatives, rather than prescribe what “should happen” based on opinion alone.
The BSIMM is a software security framework used to categorize 122 activities to assess security initiatives. The framework consists of 12 practices organized into four domains:
The BSIMM is descriptive rather than prescriptive. That is, the BSIMM is not a how-to guide, nor is it a one-size-fits-all prescription for security. Instead, it is a reflection of software security that can:
The Synopsys Maturity Action Plan (MAP) is available for organizations that want to turn the information obtained from the BSIMM into a prescriptive plan. If you don’t have a software security initiative in place, the BSIMM can help your organization develop an SSI, allowing you to answer these questions, among others:
If you already have a software security initiative running, you can use the BSIMM to learn where you stand against your peers and enhance your software security program.
The BSIMM Resources page has the latest BSIMM report as well as other useful material about developing and benchmarking your own security initiative.