Data-driven enterprise security professionals will find much to like in the sixth edition of the Building Security in Maturity Model (BSIMM), a software security measurement tool.

Nine firms provided information on their software security practices when the BSIMM launched in 2008, with the aim of helping organizations measure how their own security activities compared to those of their peers and determining areas in which they could improve. Over the years the number of participants grew to 104, said Gary McGraw, CTO of security consulting company Cigital and one of the driving forces behind the BSIMM.

Companies participating in the BSIMM6 include Adobe, Aetna, Bank of America, Box, Capital One, Cisco, EMC, Fannie Mae, Fidelity, Lenovo, LinkedIn, Marks & Spencer, McKesson, NetApp, NetSuite, Nokia, PayPal, Pearson Qualcomm, Rackspace, Salesforce, Siemens, Sony Mobile, The Home Depot, Vanguard, Visa, VMware, Wells Fargo and Zephyr Health.

This marks the first year that the BSIMM includes data from health care organizations, which is especially significant as the health care sector is a popular target for hackers and is often perceived as being behind the curve when it comes to data protection practices.

Noting that there is "a big range in the health care vertical between leading firms and others that are just getting started," McGraw said that the 10 health care firms participating in BSIMM6 recognize the importance of software security. "There are many health care firms that have not come to that realization yet, and we need them to do so."

Software Security's Pack Mentality

Benchmarking your organization's performance against those of peers is a key step in improving software security efforts, said McGraw, likening it to "figuring out where in the pack you sit as a zebra."

"You do not want to be the slowest zebra," he said. "You want to know what to do to get in the middle of the pack, and then you can look at what the leaders are doing so you know what to do to move up toward the front of the pack."


The BSIMM includes 112 activities organized into 12 practices that fall under four central domains: governance, intelligence, SSDL touchpoints and deployment. These 12 core practices have "remained very consistent for many years," McGraw said.

Software Security Groups and Satellites

While the BSIMM focuses on recommendations rather than requirements, a software security group (SSG) is an essential element. "Carrying out the activities in the BSIMM successfully without an SSG is very unlikely (and has never been observed in the field to date), so create an SSG before you start working to adopt the BSIMM activities," the BSIMM6 reads.

BSIMM6 discusses the five different ways participants have organized their SSGs and "also describes what happens as software security initiatives begin to mature," McGraw said. A key sign of maturation is the presence of a satellite, a group of folks who are interested in software security but not part of the SSG.

Satellites were observed in 100 percent of the 10 firms with the highest BSIMM scores, while none of the 10 firms with the lowest BSIMM scores have a satellite, McGraw noted. "As you get your act together and learn how to do this stuff, you begin to institutionalize it throughout your entire organization by leveraging a satellite."

With software security, showing good results early on leads to further success, McGraw said.

Building on Software Security Success

"When you adopt some of the activities in the beginning, it is very important you make sure they actually work so they are producing good results," he explained. "The SSG does that in the beginning. Your SSG should be directly involved when you begin one of the 112 activities in the BSIMM, such as code review. Once your organization figures out how to do it, then you can spread that process and those ideas more widely so others in your organization can do it outside of the SSG. The satellite helps spread the happiness."

The BSIMM also addresses identifying and encouraging potential satellite members. One great idea, McGraw suggested, is making training activities voluntary rather than mandatory. "If you have training and say 'hey we are looking for volunteers,' you get people who are psyched. You should keep track of those people as they make a great satellite later."

The BSIMM contains many such real-world management ideas, he added.

Much of the BSIMM's usefulness is due to its non-theoretical nature, McGraw said. "Each one of the 112 activities has a clear description, and in each one the examples are real. There is nothing like the BSIMM to give you incredible amounts of data about what is really going on out there." 

Released under a Creative Commons license, the BSIMM is free for anyone to use. It can be downloaded here; free registration is required.

Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.