Synopsys Enters into Definitive Agreement for Sale of Application Security (Software Integrity Group) Learn More

close search bar

Sorry, not available in this language yet

close language selection



The Building Security In Maturity Model (better known as the BSIMM) is a descriptive model that provides a baseline of observed activities for software security initiatives. Because these initiatives often use different methodologies and different terminology, the BSIMM also creates a common vocabulary for software security initiatives.

What is the BSIMM?

Based on research with companies such as Aetna, HSBC, Cisco, and more, the Building Security In Maturity Model (BSIMM) measures software security. The BSIMM (pronounced “bee simm”) is a study of existing software security initiatives. By quantifying the practices of different organizations, the BSIMM can describe common software security practices as well as unique variations.

BSIMM14 Trends and Insights Report

BSIMM14 Trends and Insights Report

Discover what activities are essential for building a successful software security program

How did the BSIMM begin?

The BSIMM initiative began in 2006 when members of Cigital (now part of Synopsys Software Integrity Group) began to develop a model to describe software security initiatives. Nine firms were selected as part of the initial study. The first BSIMM was published in 2009. The purpose of the BSIMM model is to describe what actually happens in software security initiatives, rather than prescribe what “should happen” based on opinion alone.

How does the BSIMM work?

The BSIMM is a software security framework used to categorize activities to assess security initiatives. The framework consists of 12 practices organized into four domains:

  • Governance. Practices that help organize, manage, and measure a software security initiative.
  • Intelligence. Practices that result in collections of corporate knowledge used in carrying out software security activities throughout the organization.
  • SSDL Touchpoints. Practices associated with analysis and assurance of particular software development artifacts and processes.
  • Deployment. Practices that interface with traditional network security and software maintenance organizations.

Why is the BSIMM useful?

The BSIMM is descriptive rather than prescriptive. That is, the BSIMM is not a how-to guide, nor is it a one-size-fits-all prescription for security. Instead, it is a reflection of software security that can:

  • Provide an objective view of your current software security initiative (SSI).
  • Give you insight into how your SSI compares to the SSIs of other BSIMM participants in your industry.
  • Show year-over-year SSI progress through consecutive BSIMMs.

The Synopsys Maturity Action Plan (MAP) is available for organizations that want to turn the information obtained from the BSIMM into a prescriptive plan. If you don’t have a software security initiative in place, the BSIMM can help your organization develop an SSI, allowing you to answer these questions, among others:

  • What software security activities do other organizations in your vertical perform?
  • What activities should your software security initiative focus on now and in the future?
  • How many people do you need in your software security group?

If you already have a software security initiative running, you can use the BSIMM to learn where you stand against your peers and enhance your software security program.

Where can I learn more?

There are several resources available to learn more about BSIMM: 

  1. Download the latest BSIMM report.
  2. Get an overview of what is a BSIMM assessment.
  3. Learn how to get an actionable software security roadmap to address your specific application security challenges and objectives.


Resources to manage your AppSec risk at enterprise scale