🌐
Codific
codific.com › home › appsec › bsimm (building security in maturity model): a complete guide
BSIMM (Building Security In Maturity Model): A Complete Guide - Codific
September 2, 2025 - Some notable examples of companies that use BSIMM include Lenovo, Bank of America and Johnson & Johnson. The framework is particularly popular among large enterprises with mature software development lifecycles (SDLCs) that require tailored ...
🌐
Sf2framework
sf2framework.com › 07-relationships › bsimm
BSIMM - Software Factory Security Framework (SF²)
BSIMM is a descriptive census of what programs already do. SF² sequences a practice baseline, and that census is one snapshot of it rather than a fixed target.
🌐
Black Duck
blackduck.com › glossary › what-is-bsimm.html
What Is the BSIMM and How Does It Work? | Black Duck
March 12, 2026 - The Building Security In Maturity Model (better known as the BSIMM) is a descriptive model that provides a baseline of observed activities for software security initiatives.
🌐
Netmaker
netmaker.io › resources › bsimm
BSIMM: Understanding the Building Security In Maturity Model
March 26, 2025 - Take the example of a healthcare company prioritizing "Privacy Engineering" to comply with regulations. By using the BSIMM framework, strategic planning becomes not just a checklist but a journey towards robust, context-aware security practices.
🌐
OWASP SAMM
owaspsamm.org › blog › 2020 › 10 › 29 › comparing-bsimm-and-samm
Comparing BSIMM & SAMM
October 29, 2020 - We like to say we visited a neighborhood to see what was happening and observed that “there are robot vacuum cleaners in X of the Y houses we visited.” Note that the BSIMM does not say, “all houses must have robot vacuum cleaners,” “robots ...
🌐
OWASP
owasp.org › www-pdf-archive › Bsimm09.pdf
Build software better, together
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.
🌐
Grcmana
grcmana.io › resources › frameworks › bsimm
BSIMM | GRCMana
January 5, 2025 - Alright, let's get into the nitty-gritty of what BSIMM really is. Picture it as a map. A map that guides companies on how to build secure software. It's not just any map, though. It's crafted from real-world data. Data collected from companies that are already doing a great job at keeping their software safe.
🌐
Konfirmity
konfirmity.com › home › glossary › bsimm framework: how it supports data protection standards (2026)
BSIMM Framework: How it supports data protection standards (2026) | Konfirmity
December 12, 2025 - Unlike compliance frameworks that prescribe specific controls, BSIMM documents what organizations actually do to achieve software security maturity—making it particularly valuable for vendors who need to demonstrate credible security practices to enterprise clients while meeting data protection obligations under frameworks like ISO 27001, SOC 2, and GDPR.
🌐
Jaatun
jaatun.no › papers › 2017 › bsimm4research.pdf pdf
Chapter 1 (actually chapter 7 in the book) The Building Security in
The BSIMM framework consists of twelve practices organised into four · domains; Governance, Intelligence, SSDL Touchpoints and Deployment (see Ta- ble 1.1). Each practice has a number of activities on three levels, with level 1 · being the lowest maturity and level 3 is the highest. For example, for practice ·
Find elsewhere
🌐
Black Duck
blackduck.com › resources › analyst-reports › bsimm.html
BSIMM16 Software Security Assessment Report | Black Duck
February 13, 2026 - For example, financial services firms might maintain compliance with regulations like GLBA, PCI DSS, or FFIEC guidelines while using BSIMM to benchmark their broader software security program maturity.
🌐
Software Engineering Institute
sei.cmu.edu › documents › 5032 › 2016_016_100_450816.pdf pdf
Building Security In Maturity Model (BSIMM)
We have added a few activities. I gave you an example of bug bounties. We've actually added · that into the model. And we track that directly because we saw it begin to emerge. And so, the · BSIMM, as a description of the space, really does adjust to describe the real world out there.
🌐
USENIX
usenix.org › conference › usenixsecurity09 › technical-sessions › presentation › building-security-maturity-model-bsimm
The Building Security in Maturity Model (BSIMM) | USENIX
In 2008 the speakers, with Sammy Migues, interviewed executives running nine initiatives, using the twelve practices of the Software Security Framework as our guide. Those companies among the nine who graciously agreed to be identified include Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The resulting data, drawn from real programs at different levels of maturity, was used to guide the construction of the Building Security in Maturity Model. This talk will describe the maturity model, drawing examples from many real software security programs.
🌐
Synopsys
synopsys.com › content › dam › bsimm › reports › bsimm13-foundations.pdf pdf
1 BSIMM FOUNDATIONS REPORT – VERSION 13 FOUNDATIONS REPORT 2022
September 19, 2022 - into a software security framework (SSF), represented in Figure 7. The SSF is organized into four domains—Governance, Intelligence, SSDL Touchpoints, and Deployment—with those domains currently · embracing 125 activities. The Governance domain, for example, includes activities that fall under the organization, management, and ... BSIMM terminology.
🌐
Academia.edu
academia.edu › 39202305 › Bsimm
(PDF) Bsimm
May 20, 2019 - The BSIMM employs a framework of 116 activities categorized into 12 practices allowing organizations to quantitatively assess their security maturity over time.
🌐
Socket
socket.dev › glossary › building-security-in-maturity-model-bsimm
Glossary: Building Security In Maturity Model (BSIMM) - Sock...
The Building Security In Maturity Model (BSIMM) is a framework and benchmarking tool designed to assist organizations in understanding and improving their software security initiatives. Rather than providing a checklist or a one-size-fits-all solution, BSIMM acts as a mirror, reflecting the software security practices adopted by leading organizations.
🌐
GrammaTech
grammatech.com › home › what the building in security maturity model (bsimm) says about the role of sast and sca
What the Building In Security Maturity Model (BSIMM) Says About the Role of SAST and SCA | GrammaTech
April 25, 2024 - The BSIMM11 report provides interesting insights into the state-of-the-art security practices in place in the software industry. It also outlines a framework, based on observing companies at each stage of maturity, for organization to follow who are looking to mature their practices.
🌐
Williamlien
williamlien.com › home › blog › my journey with the bsimm framework: lessons learned and success
My Journey with the BSIMM Framework: Lessons Learned and Success - My Security & AI Blog
February 13, 2024 - The Building Security In Maturity Model (BSIMM) is a powerful tool that organizations can use to assess the maturity of their software security initiatives. It's not just a theoretical model—it's based on the real-world practices of top companies. I was fortunate enough to be involved in leading our company's BSIMM assessments in 2021 and 2022.
🌐
DTIC
apps.dtic.mil › sti › trecms › pdf › AD1147155.pdf pdf
Building Security In Maturity Model (BSIMM) - DTIC
We have added a few activities. I gave you an example of bug bounties. We've actually added · that into the model. And we track that directly because we saw it begin to emerge. And so, the · BSIMM, as a description of the space, really does adjust to describe the real world out there.