The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is a study of existing software security initiatives. By quantifying the practices of many different organizations, we can describe the common ground shared by many as well as the variation that makes each unique.
The first BSIMM study, co-authored by myself, Sammy Migues, and Brian Chess, was published in 2009. Ten years later BSIMM9 was the last version I was directly involved in. BSIMM seems to have degenerated into a generic marketing exercise in the years since I retired from Synopsys. YMMV.
BSIMM is not a “how to” guide, nor is it a one-size-fits-all prescription. Instead, BSIMM is a reflection of software security.
Here is an archive of the first nine BSIMM documents:
