Sorry, not available in this language yet

English
日本語
简体中文

AppSec SaaS Platform | Integrated, cloud-based AST solution optimized for development and DevSecOps teams.
AppSec IDE Plug-ins | Secure code as you write it in your IDE
Software Risk Management | Manage application security programs at enterprise scale
DevSecOps Integrations | Integrate AppSec tools into DevOps workflows

Static Analysis (SAST) | Address security and quality defects in code as it's being developed
Software Composition Analysis (SCA) | Secure and manage open source risks in applications and containers
Interactive Analysis (IAST) | Automate web security testing within your DevOps pipelines
Dynamic Analysis (DAST) | Continuous web application security testing in production.
Penetration Testing | Identify business-critical vulnerabilities with on-demand testing expertise.
Protocol Fuzzing | Identify defects and zero-day vulnerabilities in services and protocols

Program Strategy & Planning | Measure, scale, and optimize your AppSec program
Threat & Risk Assessments | Understand and address internal and external security risks
Security Training | Equip development teams with the skills they need to produce more secure software
Implementation & Deployment | Optimize utilization, management and deployment of AppSec tools
Security Testing Services | On-demand AppSec testing resources and expertise

Open Source & Security Audits | Comprehensive technical due diligence services for M&A

Manage Software Risk | Manage software risk at the speed your business demands.

Dev and DevOps Teams | Build secure software while maintaining developer productivity and pipeline velocity.
Security Teams | Align people, processes, and technology to minimize software risk and transform your business.
Legal Teams | Solutions to protect your IP and manage risk.

API Security Testing | Manage software risks with a holistic API security testing program.
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud
Open Source Security & License Management | Effective solutions for ensuring open source security and license compliance
Malicious Code Detection | What hidden threats are lurking under the surface of your code?
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality & Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators

Financial Services | Protect sensitive customer and financial data from rapidly evolving security threats.
IoT & Embedded | Ensure your embedded and IoT devices are safe, secure, and reliable.
Automotive | Build software security & reliability into the modern connected car.
Telecommunications | Create seamless and safe mobile experiences, from silicon to software.
Aerospace & Defense | Solutions for automating mission-critical development.
Public Sector | Application security for government agencies and their suppliers.
Medical Device | Safeguard medical devices and applications.

AppSec Program Strategy News | Get insights from Synopsys cybersecurity experts on building a security program.
DAST News | Expert insight on dynamic analysis (DAST).
IAST News | Expert insight on interactive analysis (IAST).
SAST News | Expert insight on static analysis (SAST).
Open Source and Software Supply Chain News | Discover open source and software supply chain risk management tips and best practices.
Fuzz Testing News | Learn more about fuzz testing, including instrumentation techniques and best practices.
Security and Developer Training News | Articles on security and developer training to help strengthen your team’s knowledge around security
Software Composition Analysis News | Expert insight on software composition analysis (SCA).
Security Risk News | Read the latest information on how to manage application security risks.
Security Research News | Get an analysis of today’s application security news and research.

Case Studies | Application security customer stories
eBooks | Browse the latest ebooks on software security trends and best practices
Glossary | Glossary of Application Security, EDA & Semiconductor IP terms
Reports | Browse the latest application security reports from Synopsys and industry-leading analysts.
Webinars | Browse the latest webinars on application security solutions, trends, and strategies.
White Papers | Access the latest white papers for technical knowledge on application security solutions.

Overview | Learn more about the Synopsys Cybersecurity Research Center.
Research | Access the latest first-party research and analysis from the Synopsys Cybersecurity Research Center.

Press Releases | Browse our most recent news releases.

How to Get the Most Lift from Your BSIMM Results

Table of Contents

Pick your destination
Prioritize security
Create a flight plan
Aim high
Show where you soar the highest
Make sure you’re all headed the same way
Ask for directions

Download as a PDF

7 ways to take immediate action after a BSIMM assessment

An assessment of your software security initiative based on the Building Security In Maturity Model (BSIMM) reveals how your program compares to others. Your scorecard helps you highlight areas of strength and identify gaps. What happens after you see your results determines how you will lower your risk of a cyberattack.

1. Pick your destination

After a BSIMM assessment, you can set new performance targets. For example, you may decide to take a position of leadership in your industry and increase your score across all domains of the BSIMM (Governance, Intelligence, SSDL Touchpoints, and Deployment) by your next assessment—or perhaps just one.

Get inspired: A regional bank had trouble with software security governance. The security team discovered that organizations with the highest BSIMM scores have software security groups that establish, communicate, and enforce security policies. The team reviewed governance models and decided to improve communication and strengthen satellite support within other departments in order to become a best-in-class organization.

2. Prioritize security

A BSIMM assessment can open your eyes to new strategies used by companies you admire. You can use this information to help make investment decisions. For example, you can choose to shift budget, determine what skill sets you need to hire, and define requirements for partnerships.

Get inspired: A large financial services organization considered itself a security expert but didn’t provide training for employees. After seeing how low the organization scored in training compared to other mature security initiatives, leaders shifted resources to fund security training classes to help their team stay current.

3. Create a flight plan

The BSIMM ranks security activities based on three levels of maturity. Using the model as a guide, you can evolve your own security journey in stages, first building a strong foundation and undertaking more complex activities over time.

Get inspired: The security team of a consumer products company wanted to reduce security vulnerabilities found at the end of their development process. They decided to implement source code review. Their initial strategy was to perform ad hoc reviews, with a long-term goal of making source code review mandatory on all projects.

4. Aim high

If you show your leadership irrefutable evidence that your company is not keeping up with similar organizations in the fight against cyber terror or that your peers are better at protecting their own and their customers’ sensitive data, your leadership is more likely to approve security investments and resources.

Get inspired: A market leader had acquired several smaller companies and was struggling to cover all development projects with existing security resources. BSIMM results showed the ratio of the organization’s security staff to developers was much lower than that of its peers. The organization used this information to make the case for additional headcount and third-party support.

5. Show where you soar the highest

Scoring well on the BSIMM differentiates your company as a security leader. When you communicate your security posture to customers, partners, and regulators, you’ll know you have the data to back it up.

Get inspired: After confirming the company’s position as a security leader using the BSIMM, an established security organization required all third-party development shops to integrate software security best practices into their development process before the company would take them on as new vendors.

Scoring well on the BSIMM differentiates your company as a security leader

6. Make sure you’re all headed the same way

You can use the BSIMM as a common framework to structure conversations about software security. You can share the terminology and methodology with security teams, developers, software architects, business owners, and executives in your communications and progress reports.

Get inspired: A large healthcare company had difficulty integrating security into their development process. The developers didn’t believe it could be done. The security team used BSIMM data to show that many other companies successfully integrate security earlier in the development cycle.

7. Ask for directions

Conducting a BSIMM assessment gives you automatic access to the private BSIMM community. You can attend annual conferences and participate in an online group to ask questions and get direct, confidential feedback on your software security challenges from your peers.

Get inspired: A multinational bank had not conducted a BSIMM assessment in some time. When security managers attended the annual BSIMM conference, they learned that several activities that they didn’t include in their own software security initiative had been added to the methodology. They spoke to several security leaders at the event to learn how these new activities could help them reduce risk.

Once you know where you are, you can decide where to go

Benchmarking your organization with a BSIMM assessment is an essential step in your software security journey. It sets the foundation for crafting an effective strategy to reduce your cyber risk.

Not only will you find out how your software security initiative compares to that of your peers, but you will also gain actionable insights you can apply to your business right away. As your program evolves, you can return to the BSIMM framework as often as you need to make decisions and chart your progress.

Get started