What We Do

It's easy to get started with BSIMM.

Get measured.

How does your software security initiative stand up to your goals?

Measuring stick for software security

112 activities

Easily pinpoint your strengths and weaknesses


Compare yourself to your peers.

How does your initiative fare compared to those in the same space?

Real-world measurement data

Descriptive, not prescriptive

Healthcare, financial, consumer electronics, ISVs


Bring science to security.

Use real data to drive your software security initiative (SSI).

Plan out data-driven goals

Adjust software security initiative according to progress

Drive budget and improvement


BSIMM6 data comes from 78 participating organizations drawn from four well-represented industries (with some overlap):

  • financial services firms,
  • independent software vendors,
  • consumer electronics organizations, and
  • healthcare companies.

Industries with lower representation in the BSIMM data pool include insurance, telecommunications, security, retail, and energy.

Independent Software Vendor
Consumer Electronics

Download BSIMM 6

Get the latest information on software security measurement from the most recent BSIMM study.

What People Say About BSIMM

  • Markus Schumacher, Virtual Forge

    With BSIMM you not only get an impressive snapshot of security best practices - taken from 67 real firms. You also get a benchmark for you own development process that helps you to identify the gaps, fill them, and move to the next level. As a security enthusiast, I love the BSIMM and all it stands for.

  • Nigel Stanley, Bloor Research

    I have been watching the software security space for years, and more importantly following the evolution of BSIMM from the early days in 2008. Back then it seemed those of us that 'got it' were lone voices in the wilderness. Since those days the BSIMM gang have worked flat out to deliver what is now an excellent maturity model for both developers and information security practitioners interested in building secure software - which should be all of them.

  • Diana Kelley, IBM Security Systems

    BSIMM-V solidifies the study's standing as the premiere measurement framework for software security maturity. Software security and reliability are not only critical business concerns, they are the engines that will drive success and prevent failure in the hyper-rapid development world of tomorrow. BSIMM-V stands alone as the longest on-going study of software security maturity; it is not only a measuring stick, it is a guidepost for organizations at all levels of maturity to assess where they are today and help them understand how to mature their programs effectively for years to come.

  • Jeff Cohen, JP Morgan Chase

    In a field like software security, where meaningful data and metrics are hard to come by, the BSIMM stands out as an important framework and instrument to help measure firms and business units using industry best practices. I have found this data to be extremely useful to help motivate and guide improvements in software security assurance. The BSIMM community' also provides many opportunities to network and discussing with peers in other companies who are working to develop similar programs.

  • Gary Warzala, Visa

    If you are thinking about developing a software security program, or enhancing your existing one, the BSIMM will provide you a tried and true measurement and planning tool developed by some of the top security practitioners in the world. BSIMM-V is the continued evolution of this data driven set of real world software security practices, making it more relevant than ever. If you don't think that a software security program or BSIMM is right for you, well...it's only a matter of time!

  • Bola Rotibi, Creative Intellect Consulting

    The threat landscape today for software systems has become more sophisticated and targeted. As such, organisations cannot be complacent about the way they address security. Many of the leading businesses across the market landscape have implemented security frameworks that address the IT estate, people management, process change and technology support. Quantifying the value and success of those different strategies is crucial to establishing a cookbook of successful approaches that others can leverage and build upon. This is one of the underlying principles of the BSIMM programme, and it offers a practical and pragmatic strategy for sustainable security improvement.

  • Kenneth R. van Wyk, KRvW Associates, LLC

    I’m so glad to see this important body of work continuing to grow and evolve. BSIMM remains one of the best yardsticks available to practitioners today for measuring how their secure software development stacks up against the rest of the industry. Kudos to the team for delivering BSIMM6 and moving the ball still further down the field.

  • Marcus Ranum, Tenable Security

    Software security remains one of the critical issues for computing, and is increasingly important as humans deploy the 'internet of things.’ BSIMM helps define the habits of effective software security development organizations, and is an important step in the right direction.

  • Eric Baize, EMC Corporation

    EMC has been part of the BSIMM initiative since its first release when the study was based on nine companies. BSIMM-V has compiled software security best practices from 67 software security groups which gives testimony to how software security has become mainstream and is considered a vital part of standard software engineering practices at many organizations.

  • Iván Arce, Fundación Sadosky

    In infosec anyone is entitled to an opinion but everyone should produce accompanying factual data to support it. That is exactly what BSIMM is about, hard data about real software security initiatives, compiled systematically over many years, organized meticulously to facilitate understanding. Use it.

  • James Routh, NH-ISAC

    The BSIMM Community Conference offers an outstanding forum for sharing information on the evolution of software security techniques and practices that are essential for any enterprise software security program.

Loading posts...
Sort Gallery
Newsletter Input text