Latest Building Security In Maturity Model reflects software security initiatives of 120 firms

Synopsys released BSIMM9, the latest version of the Building Security In Maturity Model (BSIMM) designed to help organizations plan, execute, and measure their software security initiatives (SSIs). The ninth iteration of BSIMM reflects data collected over a 10-year study of real-world SSIs across 120 firms.


“Development, security, and operations teams need to align, and BSIMM9 provides data suggesting this is taking place through automation, particularly as software shifts to the cloud,” said Dr. Brian Chess, senior vice president of infrastructure and security for NetSuite at Oracle. “This is a huge move in the right direction: greater velocity and better security at the same time.”

BSIMM9 describes the work of more than 7,800 software security professionals whose work guides and maximizes the security efforts of 415,000 developers across approximately 135,000 applications. BSIMM9 firms represent industry verticals including financial services, independent software vendors (ISVs), cloud, healthcare, Internet of Things (IoT), insurance, and retail.

Cloud transformation

Firms are moving their workloads and development pipelines to the cloud—a paradigm shift that requires different approaches to software security. Three new activities directly or indirectly related to cloud transformation were observed and added to the BSIMM.

Activities observed among independent software vendors, IoT companies, and cloud firms (three of the most prominent verticals) have begun to converge, suggesting that common cloud architectures require similar software security approaches.

BSIMM across verticals

The BSIMM can be used to compare SSIs within and between verticals. A new vertical industry—retail—emerged in the BSIMM9 data. SSIs in retail are maturing relatively quickly as new models focused on e-commerce become critical to sustaining a healthy business. The retail vertical is already more mature in security than healthcare and insurance.

Population growth

BSIMM9 includes data collected from 120 firms, up from 109 firms in BSIMM8. The number of software security practitioners it measures grew by 65 percent, and the number of developers included grew by 43 percent. This notable growth in the BSIMM population indicates that software security is a growing priority.

“The BSIMM project has become a de facto standard for assessing and improving software security initiatives,” said Dr. Gary McGraw, vice president of security technology at Synopsys. “By measuring your firm with the BSIMM measuring stick, you can directly compare and contrast your security approach to some of the most mature firms in the world. BSIMM9 is the culmination of a decade of objective, observation-based work in the field, and it incorporates the largest set of data collected about software security anywhere.”

The BSIMM includes data collected from firms that have established real SSIs, quantifying the occurrence of 116 activities to show the common ground shared by many initiatives as well as the variations that make each initiative unique. The BSIMM data shows that high-maturity initiatives are well-rounded, carrying out numerous activities in all 12 of the practices described by the model. Organizations can use the BSIMM to compare initiatives and determine which additional activities might be useful to support their overall strategies.

Don't miss