Building Security in Maturity Model (BSIMM) Datasheet

Bringing science to software security

BSIMM results provide a way to assess the current state of your software security initiative, identify gaps, prioritize change, and determine how and where to apply resources for immediate improvement.

What the BSIMM enables you to do

  1. Start a software security initiative (SSI) using real data.
    If you don’t have a software security initiative yet, you need one. Before you start down that path, the BSIMM will help you identify the core activities that all successful initiatives undertake—no matter what industry you’re in.

  2. Compare your SSI to other firms in your industry.
    The BSIMM is one of the best yardsticks available today for measuring how your SSI stacks up against the rest of your industry peers. With your goals in mind, you can quickly determine where you stand relative to your needs.

  3. Benchmark and track your SSI growth.
    The BSIMM is the best and only repeatable way to measure your SSI’s effectiveness. Once your SSI is established, you can use it to measure your continuous improvement year over year. It will also provide concrete details to show your executive team and board how your security efforts are making a difference.

  4. Evolve your initiative using lessons learned from mature initiatives.
    The BSIMM is a “what works” report on building and evolving a software security initiative. It comprises proven activities that mature organizations are performing today. You can use your assessment results, the BSIMM activities, and your objectives to set strategies and priorities for real improvement.

  5. Interact with professionals facing common issues.
    Along with your BSIMM, you gain access to our exclusive BSIMM community, which includes monthly newsletters, specialized quarterly webinars, U.S.- and U.K.-based annual conferences, RSA conference networking events, and a vibrant online community.

Get a personalized report

Every BSIMM comes with a detailed report highlighting your areas of strength and where you need improvement.

Customized Spider Chart. This diagram shows at a glance where you are ahead of the game and where you might be behind. As you switch from measuring-stick mode to SSI-planning mode, these results provide objective guidance that you can implement immediately.

BSIMM Company Scorecard. This table shows where you stand relative to all other initiatives. You can use it to look at your entire initiative over time, your individual business units, your business partners, and the vendors you work with.

Earth vs. Fake Fake Firm Spider Chart

BSIMM8 SCORECARD FOR: FAKEFIRM | OBSERVATIONS: 37

What BSIMM participants are saying

Software is influencing more and more of our daily lives as consumers, professionals, and humans are embracing a digital experience. Leading organizations that use BSIMM to benchmark their software security resiliency practices have a significant competitive advantage in the marketplace.
~ Jim Routh, Chief Security Officer, Aetna


Since 2009, each new version of BSIMM demonstrates how software security is becoming more mainstream and adopted by an always larger number of organizations. BSIMM7 is no exception and possibly represents an inflection point where software security is increasingly part of the development practices and less an independent discipline of software engineering. 

~ Eric Baize, Senior Director, Product Security Office, Dell EMC


BSIMM7 is a fundamental resource for those looking for solid foundations or improvement for a software security initiative based on real data about what organizations worldwide actually do and a consistent, systematic approach to classify and understand them.

~ Ivan Arce, Director of Security, ICT program, Sadosky Foundation