Building Security In Maturity Model (BSIMM) - Part 1

However beautiful the strategy, you should occasionally look at the results. - Winston Churchill

Software security is becoming a major concern for organisations around the world, but more often than not - those responsible don't even know where to start.

Even though most organisations are investing into security nowadays, measuring the impact of the security activities and their return of investment is typically overlooked.

Not understanding the impact of security activities on an organisation as a whole, leads to over-investment on low-impact activities and under-investment on high-impact activities.

This is the first article in a series of blog posts about how the Building Security In Maturity Model (BSIMM) 6 helps firms start and evolve their software security initiatives and ensure that the budget is spent on high-impact activities.


BSIMM (pronounced “bee simm”) is short for Building Security In Maturity Model. BSIMM is a study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time (Source: BSIMM FAQ). The full BSIMM6 is available under the creative commons and can be downloaded at


Since Gary McGraw, Sammy Migues, and Jacob West launched the BSIMM study in 2008, over 100 software initiatives have been measured. BSIMM in version 6 covers the software security initiatives of 78 companies, 33 of which are financial service providers. Most of the 78 companies are considered leaders in their respective industry, which is demonstrated in the impressive list of reference firms for BSIMM6.

The Software Security Framework

BSIMM is made up of a software security framework that consists of 4 domains that are divided into 12 practices containing a total of 112 activities. 

Activities are divided into three maturity levels that are based on how difficult an activity is to implement and how often an activity has been observed.

The four domains and 12 practices are depicted in the graphic below (Source: BSIMM Software Security Framework).

BSIMM is not a standard!

BSIMM does not prescribe what you should do. It describes what other companies around the world are doing to tackle software security.

All of the 112 activities that are part of the BSIMM have been observed in actual software security initiatives. 

Software Security Initiatives

A Software Security Initiative (SSI) is an organisation-wide program to manage, and evolve software security activities in a coordinated fashion.

Before exploring each of the 12 practices of the software security framework in future blog posts, I want to make one thing perfectly clear.

A successful Software Security Initiative requires full support from senior executives.

Thus, the first step of a SSI is forming a Software Security Group (SSG), which is an internal group responsible for software security.

Start. Stop. Continue.

Consider the following strategy:

  • Start: Obtaining support from senior executives to launch a software security initiative. 
  • Stop: Doing security activities in an unmanaged and ad-hoc way.
  • Continue: Understanding which security activities your industry peers are doing.

How does your software security initiative compare with your industry peers? Contact us to find out.