Building Security In Maturity Model (BSIMM)
The Building Security In Maturity Model (BSIMM) is a data-driven model that provides an in-depth view of software security initiatives. BSIMM is not a standard or a checklist but rather a reflection of current practices observed in real-world software security programs. By assessing the software security initiatives of multiple organizations, BSIMM offers a benchmark for comparing and guiding software security practices.
Definition and purpose
BSIMM describes the common activities observed across various software security initiatives. By presenting a set of good practices, it helps organizations measure the maturity of their software security program and guides them in enhancing their software security posture. Its goal is to provide organizations with tangible data to compare their security efforts against other organizations, facilitating continuous improvement in software security.
BSIMM was initiated as a joint effort by Cigital (now a part of Synopsys) and Fortify Software (now a part of Micro Focus). Today, it's overseen by Synopsys.
BSIMM was released in September 2022 and has had no major updates.
BSIMM is sector-agnostic and can be applied to any organization focused on software security. Over time, BSIMM has accumulated data from various industries, including financial services, healthcare, technology, and more, making its observations and findings relevant across multiple sectors.
Controls and requirements
BSIMM is structured around 12 practices that span the software security domain. These practices, in turn, consist of multiple activities. The 12 practices are:
- Strategy and Metrics
- Compliance and Policy
- Architecture Analysis
- Code Review
- Security Testing
- Penetration Testing
- Software Environment
- Culture and Organization
- Incident Response and Management
- Intelligence and Research
Each practice is further broken down into a series of activities, making a total of over 100 distinct activities that organizations can use to measure their software security initiatives.
Please refer to the official BSIMM document for a detailed list of controls and requirements.
Audit type, frequency, and duration
BSIMM is not an audit framework in the traditional sense but rather a maturity model. Organizations typically engage with BSIMM assessors from Synopsys to perform an evaluation. This evaluation benchmarks the organization's current practices against the BSIMM data.
The frequency of such evaluations is at the discretion of the organization, but it might be beneficial to perform them annually or biennially to measure progress and adapt to evolving software security landscapes.
The duration of the assessment can vary but usually lasts a few days to a couple of weeks, depending on the size and complexity of the organization.