Synopsys, Inc. released BSIMM9, the latest version of the Building Security In Maturity Model (BSIMM) designed to help organizations plan, execute, and measure their software security initiatives (SSIs). The ninth iteration of BSIMM reflects data collected over a 10-year study of real-world SSIs across 120 firms. BSIMM9 highlights the impact of cloud transformation, the emergence of a new vertical industry—retail—represented in the data pool, and the growth of the software security community.
“Development, security, and operations teams need to align, and BSIMM9 provides data suggesting this is taking place through automation, particularly as software shifts to the cloud,” said Dr. Brian Chess, senior vice president of infrastructure and security for NetSuite at Oracle. “This is a huge move in the right direction: greater velocity and better security at the same time.”
BSIMM9 describes the work of more than 7,800 software security professionals whose work guides and maximizes the security efforts of 415,000 developers across approximately 135,000 applications. BSIMM9 firms represent industry verticals including financial services, independent software vendors (ISVs), cloud, healthcare, Internet of Things (IoT), insurance, and retail.
Key findings from the BSIMM9 study include Cloud transformation, BSIMM across verticals and Population growth.
“The BSIMM project has become a de facto standard for assessing and improving software security initiatives,” said Dr. Gary McGraw, vice president of security technology at Synopsys. “By measuring your firm with the BSIMM measuring stick, you can directly compare and contrast your security approach to some of the most mature firms in the world. BSIMM9 is the culmination of a decade of objective, observation-based work in the field, and it incorporates the largest set of data collected about software security anywhere.”
The BSIMM includes data collected from firms that have established real SSIs, quantifying the occurrence of 116 activities to show the common ground shared by many initiatives as well as the variations that make each initiative unique. The BSIMM data shows that high-maturity initiatives are well-rounded, carrying out numerous activities in all 12 of the practices described by the model. Organizations can use the BSIMM to compare initiatives and determine which additional activities might be useful to support their overall strategies.