The BSIMM initiative began in 2006 when members of Cigital (now part of Synopsys Software Integrity Group) began to develop a model to describe software security initiatives. Nine firms were selected as part of the initial study. The first BSIMM was published in 2009. The purpose of the BSIMM model is to describe what actually happens in software security initiatives, rather than prescribe what “should happen” based on opinion alone.
The BSIMM is a software security framework used to categorize 116 activities to assess security initiatives. The framework consists of 12 practices organized into four domains: