BSIMM Enterprise Security Model Grows with More Real-World Data

The set of best practices for developing and growing an enterprise-wide software security program based on real-world studies of successful company initiatives known as BSIMM (Building Security In Maturity Model) recently got a little bigger.

The fourth edition (BSIMM4) provides real-world data from 51 companies -- up from 42 in BSIMM3, released last year -- and 10 times the data of the orginial study conducted in 2009. The 109 "activities" (practices of the companies’ software security groups) observed in the original study also grew to 111.

A "maturity model" describes the capability of an organization’s processes in a range of areas, from software engineering to personnel management. The Capability Maturity Model (CMM) is a well-known example from software engineering. The BSIMM ( (pronounced "bee-simm") is the first maturity model for security initiatives created entirely from real-world data.

The BSIMM was originally developed by security consulting firm Cigital ( and Fortify Software (since aquired by HP). The latest study was authored by Gary McGraw, CTO of Cigital; Sammy Migues, Director of Knowledge Management and Training of Cigital, and Jacob West, CTO of Fortify Products in HP’s  Enterprise Security group. BSIMM3 was authored by McGraw, Migues, and Brian Chess, distinguished technologist at HP (and co-founder and former chief scientist at Fortify).

But the authors hasten to add in a statement that BSIMM4 "describes the work of 974 software security professionals working with a development-based satellite of 2039 people to secure the software developed by 218,286 developers."

The purpose of the project, McGraw said in an earlier interview, is to build a "measuring stick," so that companies can compare themselves to other companies in their industries who have managed successful software security initiatives. Using the BSIMM measuring stick, McGraw, Migues, and West conducted in-person interviews with executives in charge of the software security initiatives. McGraw emphasized that the model is fact-based. "We wanted to turn from the early days of evangelism and advocacy in software security and science," he said. "And this is how to do it."

BSIMM4 marks the first time the researchers observed new activities significant enough to add to the model. Activities include things like translate compliance constraints to requirements, identify metrics and use them to drive budgets, and feed results to the defect management and mitigation system. The two new activities they observed for version 4: simulate software crisis and automate malicious code detection.

The original BSIMM project looked at only nine companies. The 51 participating companies studied for BSIMM4 represent 12 industry verticals: financial services, ISVs, technology firms, cloud, media, security, telecommunications, insurance, energy, retail, healthcare, and ISPs. The list of companies includes, in part: Adobe, Bank of America, Box, Fannie Mae, Goldman Sachs, Google, Intel, Intuit, JPMorgan Chase & Co., Microsoft, Rackspace, Salesforce, SAP, Scripps Networks, Sony Mobile, Visa, VMware, Wells Fargo, and Zynga.

"We are very pleased with the effect BSIMM is having beyond its primary use as a reflection of the state of software security," said Migues in a statement. "We see it referenced directly in business partner discussions, in government and commercial acquisitions, in service level agreements, and vendor management processes."

BSIMM4 is distributed free under a Creative Commons license. The BSIMM document can be downloaded from the web (, and there’s a clickable web version available (

About the Author

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].