Building Security In Maturity Model (BSIMM) – Practices from Seventy Eight Organizations

Key Message: Organizations can benchmark their software security practices against 112 observed activities from 78 organizations.

Executive Summary

“The Building Security In Maturity Model (BSIMM) is the result of a multi-year study of real-world software security initiatives. It is built directly from data observed in 78 software security initiatives from firms in nine market sectors. The best way to use the BSIMM is to compare and contrast your own initiative with the data about what other organizations are doing as described in the model. You can then identify goals and objectives and refer to the BSIMM to determine which additional activities make sense for you.”

“The BSIMM data show that high maturity initiatives are well-rounded—carrying out numerous activities in all 12 of the practices described by the model. The model also describes how mature software security initiatives evolve, change, and improve over time.” [1]

In this podcast, Gary McGraw, the Chief Technology Officer for Cigital, discusses the latest version of BSIMM and how to take advantage of observed practices from high-performing organizations.



The BSIMM project was started about 8 years ago, based on data from 9 firms. Version 6 is based on data collected from 78 firms, reflecting the work of 287,000 developers. The BSIMM team has used data from the following companies:

Adobe, Aetna, ANDA, Autodesk, Bank of America, Black Knight Financial Services, BMO Financial Group, Box, Capital One, Cisco, Citigroup, Comerica, Cryptography Research, Depository Trust and Clearing Corporation, Elavon, EMC, Epsilon, Experian, Fannie Mae, Fidelity, F-Secure, HP Fortify, HSBC, Intel Security, JPMorgan Chase & Co., Lenovo, LinkedIn, Marks & Spencer, McKesson, NetApp, NetSuite, Neustar, Nokia, NVIDIA, PayPal, Pearson Learning Technologies, Qualcomm, Rackspace, Salesforce, Siemens, Sony Mobile, Symantec, The Advisory Board, The Home Depot, TomTom, Trainline, U.S. Bank, Vanguard, Visa, VMware, Wells Fargo, and Zephyr Health.

Target Audience

The target audience for BSIMM includes a central, core group called the Software Security Group (SSG), which manages the software security initiative. BSIMM users also include developers, those performing quality assurance, product managers, and senior executives including the CEO and CTO.

Structure; Addition of Healthcare Vertical; Compliance

BSIMM describes 112 activities that are grouped into 12 practices, for example, code review, penetration testing, training, attack modeling, and compliance and policy. The model is based on what high-performing firms are actually doing in their software security initiatives – observational and linked to real data from the real world. It describes the “what” as well as the “how.”

The BSIMM team has measured 33 financial services organizations and 27 software vendors. For the first time, BSIMM6 covers a number of healthcare firms. Practices performed by leaders in financial services and software development can assist those in healthcare firms that are just getting started.

It is important for firms to demonstrate that they comply with laws and regulations. But, for example, when the healthcare industry devoted all of its resources to HIPAA (Health Insurance Portability and Accountability Act) compliance for patient data privacy, it “sucked up all of the oxygen” leaving little for ensuring medical device security, which is much more important from a patient’s perspective.

By adopting a security engineering methodology such as BSIMM, firms often achieve compliance as side effect or byproduct.


Software Should be Viewed as a Security Function

Software is pervasive and is working its way into every aspect of business and our day-to-day lives (electric grid, cars, thermostats – to name a few). The Consumer Technology Association is taking a close look at BSIMM for consumer device security.

Starting a Successful Software Security Initiative

Of the 112 activities, there are 12 that are the “core” activities of BSIMM. These have been observed in 70 or the 78 firms. That said, these 12 activities are spread across the 12 practices, so there is no generally agreed to starting point, such as training.

Organizations can compare their current practices to the 12 core activities and use the results to help drive their efforts in a structured way vs. listening to the latest vendor.

Don’t Rely on Hype

Bug bounty systems are getting a lot of press these days as a good thing to do. However, only 3 or 4 firms of the 78 that have contributed to BSIMM have this as an active practice. So this is likely not the place to start.

Over its eight years, BSIMM has been used to measure the practices of about 120 firms, so it is very data driven. Thus the BSIMM core practices provide much better starting points including, for example:

Software Satellite

Members of the software satellite are involved in software security activities but are not direct members of the SSG. They may reside in a product group, quality assurance, or requirements management.

If you run the BSIMM numbers, for 287,000 developers, there should be 1,084 SSG members and 2,111 software satellite members – all addressing software security as their full time job.

A robust SSG and software satellite are two strong indicators of a high maturity organization. That said, all organizations observed for BSIMM have an SSG but many do not have a software satellite – so make sure to start with the SSG before creating a software satellite.


Failure Conditions

There are a few actions that often cause software security initiatives to fail:

These can both be overcome by forming a software security group and providing the authority, responsibility, and resources to do this work.

Making the Business Case

The best way to gain executive and board sponsorship is to obtain a baseline BSIMM score (through self-assessment or BSIMM-expert-led assessment) and convey how your organization compares to those benchmarked organizations.

You don’t want your organization to be the “slowest zebra that gets killed by the marauding lions.”

Having a data-based measurement is unbelievably powerful.

BSIMM Community

Users of BSIMM often participate in the BSIMM community, which includes a moderated mailing list and regular conferences. At the conferences, BSIMM users present their challenges, pitfalls, and successes, which is very powerful. Some key lessons learned include:

Levels of BSIMM Activities

BSIMM activities are designated as follows:

BSIMM activities evolve and move between levels as more observations are made in the field.


[1] McGraw, Gary, et. al. Building Security In Maturity Model (BSIMM) Version 6. This work is licensed under the Creative Commons Attribution-Share Alike 3.0 License.

CERT Podcast: How to Develop More Secure Software – Practices from Thirty Organizations, September 2010

Copyright 2016 Carnegie Mellon University