Building Security In Maturity Model (BSIMM)

Bringing science to software security

In this era of digital transformation and continual change, building secure, high-quality software is more challenging than ever. If you want to instill, measure, manage, and evolve software security activities in a consistent, coordinated fashion, you need a software security initiative (SSI).

You must also ensure your SSI keeps pace with your dynamic development environment: development approaches, DevOps culture, deployment environments, regulatory requirements, supply chain, software release cycles, and so much more. To do that, you need visibility into the current state of your SSI, as well as the data to create an improvement strategy and prioritize SSI change.

The Building Security In Maturity Model (BSIMM) is a benchmarking tool that gives you an objective, data-driven view into your current software security initiative.

How high does your SSI fly?

The BSIMM is one of the best yardsticks available today, built from real-world data and useful for measuring how your software security initiative stacks up against your industry peers. The BSIMM also provides concrete details to show your executive team and Board how your security efforts are making a difference.

What does a BSIMM assessment do?

  • Enables you to communicate your software security posture to your customers, partners, and regulators, with independent assessment data to back it up.
  • Assesses your level of maturity so you can evolve your software security journey in stages, first building a strong foundation, then undertaking more complex activities over time.
  • Provides actual measurement data from the field. The BSIMM makes it possible to build a long-term plan for a software security initiative and track progress against that plan.
  • Offers access to the BSIMM community. You can attend annual conferences and participate in a private online group to ask questions about your software security challenges and get direct, confidential feedback from your peers.

Since 2008, the BSIMM has served as an effective tool for understanding how organizations of all shapes and sizes, including some of the most advanced security teams in the world, are executing their software security strategies. The current BSIMM data reflect how many organizations are adapting their approaches to address the new dynamics of modern development and deployment practices, such as shorter release cycles, increased use of automation, and software-defined infrastructure."

Jim Routh


Head of enterprise information risk management at MassMutual

Expand your horizons with the BSIMM

Find out what the BSIMM is all about and how you can use real data to drive and improve your software security initiative.