Definition and purpose

BSIMM describes the common activities observed across various software security initiatives. By presenting a set of good practices, it helps organizations measure the maturity of their software security program and guides them in enhancing their software security posture. Its goal is to provide organizations with tangible data to compare their security efforts against other organizations, facilitating continuous improvement in software security.

Governing Body

BSIMM was initiated as a joint effort by Cigital (now a part of Synopsys) and Fortify Software (now a part of Micro Focus). Today, it's overseen by Synopsys.

Last updated

BSIMM was released in September 2022 and has had no major updates.

Applies to

BSIMM is sector-agnostic and can be applied to any organization focused on software security. Over time, BSIMM has accumulated data from various industries, including financial services, healthcare, technology, and more, making its observations and findings relevant across multiple sectors.

Controls and requirements

BSIMM is structured around 12 practices that span the software security domain. These practices, in turn, consist of multiple activities. The 12 practices are:

1. Strategy and Metrics
2. Compliance and Policy
3. Architecture Analysis
4. Code Review
5. Security Testing
6. Penetration Testing
7. Software Environment
8. Training
9. Culture and Organization
10. Incident Response and Management
11. Intelligence and Research
12. Operations

Each practice is further broken down into a series of activities, making a total of over 100 distinct activities that organizations can use to measure their software security initiatives.

Please refer to the official BSIMM document for a detailed list of controls and requirements.

Audit type, frequency, and duration

BSIMM is not an audit framework in the traditional sense but rather a maturity model. Organizations typically engage with BSIMM assessors from Synopsys to perform an evaluation. This evaluation benchmarks the organization's current practices against the BSIMM data.

The frequency of such evaluations is at the discretion of the organization, but it might be beneficial to perform them annually or biennially to measure progress and adapt to evolving software security landscapes.

The duration of the assessment can vary but usually lasts a few days to a couple of weeks, depending on the size and complexity of the organization.