Building Security In:
An In-Depth Look at the BSIMM Framework

The Building Security In Maturity Model (BSIMM) is a highly influential, data-driven framework designed to measure and describe the activities carried out by real-world Software Security Initiatives (SSIs), often referred to as application security (AppSec) programs.

Unlike prescriptive models that tell you what you should be doing, BSIMM is descriptive, detailing what leading organizations are actually doing to secure their software. It functions as a powerful, quantitative measuring stick and a roadmap built from empirical evidence across diverse industries.

💡 What is the BSIMM?

The BSIMM originated in 2008 as a study of a small group of companies to quantify software security practices. It has since evolved into a living model, updated annually with data collected from hundreds of major organizations globally across various sectors, including financial services, healthcare, technology, and more.

Key Characteristics of BSIMM:

• Data-Driven and Descriptive: The model is an observational report based on recurring measurements of actual security activities in participating organizations. It doesn't prescribe what to do but provides an objective baseline of current industry practices.
• Benchmarking Power: Its primary utility is allowing organizations to benchmark their Software Security Initiative (SSI) against their peers (e.g., within their industry or organizations of similar size/risk profile).
• Structured and Quantifiable: It organizes the complex world of AppSec into domains, practices, and specific, measurable activities.
• Proprietary Model: The BSIMM is maintained and administered by Synopsys (originally Cigital), and official assessments are typically conducted by their experts to ensure consistency and data integrity.

🏗️ The BSIMM Structure: Domains, Practices, and Activities

The BSIMM framework is organized into a four-level hierarchy, detailing all the activities observed in high-performing SSIs.

1. The Four Domains

The model groups the entire software security effort into four top-level domains:

Domain	Focus Area
1. Governance	Establishing the SSI, defining strategy, policy, and funding, and driving organizational adoption.
2. Intelligence	Creating and gathering knowledge—such as attack patterns, security features, and secure design—to be used by development and security teams.
3. SSDL Touchpoints	Integrating security assurance activities into the Software Development Lifecycle (SSDL), focusing on analysis and testing.
4. Deployment	Managing security operations, configuration, and vulnerability management in the production and pre-production environments.

2. The Twelve Practices

Each of the four Domains contains three associated Security Practices, totaling 12 practices in the model. These practices define the core areas of focus for the SSI.

Domain	Associated Practices
Governance	Strategy & Metrics, Compliance & Policy, Training
Intelligence	Attack Models, Security Features & Design, Standards & Requirements
SSDL Touchpoints	Architecture Analysis, Code Review, Security Testing
Deployment	Penetration Testing, Software Environment, Configuration Management & Vulnerability Management

3. Activities and Activity Levels

Within the 12 Practices, the BSIMM framework defines over 100 concrete, observable Activities. These are the specific, measurable tasks an SSI performs (e.g., "Require mandatory code review for all projects," "Perform annual security awareness training").

BSIMM also assigns an Activity Level (1, 2, or 3) to each activity. These levels indicate the relative frequency with which an activity is observed in organizations, with Level 3 activities being less common and generally more advanced, requiring greater effort and maturity.

Crucial Difference: In the BSIMM, Activity Levels do not necessarily mean "Level 1 is basic, Level 3 is better." They simply denote the level of sophistication and frequency observed in the BSIMM data set. An organization's roadmap is not to blindly implement all Level 3 activities but to choose activities that align with its specific risk profile and business goals.

🗺️ How to Use the BSIMM: Assessment and Benchmarking

Using the BSIMM involves a formal assessment that yields a highly detailed, objective measurement of the organization's current security posture.

• 1. The Measurement: A BSIMM assessment is typically a focused engagement with experts who interview stakeholders across development, security, and operations teams, and review documentation to confirm the presence and scale of each of the 100+ activities.
• 2. The Scorecard: The result is a BSIMM Scorecard—a quantifiable measure of which activities the organization is performing and at what level. The organization is then given a total score that summarizes the state of its SSI.
• 3. The Benchmark Comparison: The organization's scorecard is mapped against the full, anonymous data set of all BSIMM participants. The organization receives detailed feedback on how its SSI compares against the entire BSIMM population, specific industry verticals, and companies of similar size or age. This reveals specific gaps and opportunities, showing exactly where it over-invests and under-invests compared to its peers.
• 4. The Roadmap (Maturity Action Plan): Based on the benchmark, the organization can create a Maturity Action Plan (MAP). This plan is grounded in what successful, real-world SSIs are doing, ensuring that the chosen activities will deliver proven value and lead to measurable progress.

⭐ Conclusion and Next Steps

The BSIMM is an unparalleled tool for companies that want an objective, data-backed measurement of their software security program against industry leaders. It moves the conversation beyond theoretical best practices to what is tangibly working for top organizations in the fight against modern cyber threats.

By leveraging the collective intelligence of the BSIMM community, organizations can build trust with stakeholders, make smarter investments, and continuously evolve their SSI to meet the ever-changing demands of secure software development.