BSIMM
a benchmark view of the Building Security In Maturity Model

BSIMM: a descriptive measurement of what software security programmes actually do

BSIMM (Building Security In Maturity Model) is the long-running descriptive study of the activities that software security programmes actually run in the wild. It is published by Black Duck (formerly Synopsys), refreshed annually based on a pool of participating organisations, and organised into twelve practices across four domains: Governance, Intelligence, SSDL Touchpoints, and Deployment. Where OWASP SAMM says what a software security programme should do at each maturity level, BSIMM reports what the programmes inside the study population observably do. The two are complementary rather than competing: SAMM is the prescriptive model the roadmap is built against; BSIMM is the descriptive benchmark the roadmap is measured against.

BSIMM is most useful when an organisation needs to talk about software security in comparative terms rather than absolute ones. A statement like “our programme is mature” is unfalsifiable. A statement like “we run forty-eight of the activities in the BSIMM catalogue, twelve more than the study average, and we are below average on Intelligence (Attack Models) where we plan to add three activities this cycle” is operational. The OWASP framework reference covers the headline risk taxonomy that an AppSec programme defends against; BSIMM measures the programme that does the defending.

The four BSIMM domains and the twelve security practices

BSIMM organises its observations into four domains, each containing three security practices, for a total of twelve practices. Each practice carries a catalogue of activities and a per-activity prevalence score across the study population. The domains are the unit of leadership communication; the practices are the unit of programme planning; the activities are the unit of measurement.

For programmes that run authenticated DAST, SAST, and SCA as part of the SSDL Touchpoints (Security Testing) and Deployment (Vulnerability Management) practices, the authenticated scanning and code scanning features run those tests against the same engagement record that carries the BSIMM scorecard, so the activity-observed claim is backed by live scan output rather than a screenshot of a dashboard.

Activity prevalence: the measurement that makes BSIMM useful

BSIMM is descriptive because the question it answers is not “what should we do” but “what do programmes in the study population actually do”. The activity catalogue inside each practice is observable: a programme either runs the activity (with evidence to back the observation) or does not. The prevalence score per activity is the share of the study population that runs it. The headline BSIMM scorecard reports a per-practice activity count compared to the study-average count, the industry-vertical average count, and the highest count observed in the population, so the programme sees not only its absolute score but its comparative position.

For deeper context on the findings discipline that backs the SSDL Touchpoints (Code Review, Security Testing) and Deployment (Vulnerability Management) activities, see the findings management workflow and the security findings deduplication guide, which together cover the data hygiene that turns scanner output into defensible activity-observed evidence at BSIMM measurement time.

How BSIMM compares to OWASP SAMM, NIST SSDF, and ISO 27001

BSIMM is rarely used in isolation. It is the comparative measurement layer that other frameworks depend on for context, or that pair with prescriptive models for a different audience. The contrast below is a working view, not a buyer comparison: the practitioner question is which frameworks to pair BSIMM with, not which to pick instead of it.

Programmes that already operate under a prescriptive secure-development standard typically pair BSIMM with NIST SSDF (SP 800-218) as the regulator-facing practice list, with OWASP DSOMM as the pipeline-and-runtime maturity model where the build, deployment, hardening, and visibility planes are scored on their own four-level scale, with ISO 27001 Annex A.5 (organisational) and A.8 (technological) where the ISMS covers software development, and with SOC 2 Common Criteria where SaaS audit evidence is needed. The measurement is the comparative layer; the prescriptive standards are the policy layer; the audit frameworks are the evidence layer; and the same engagement record can carry all four.

BSIMM by role: how AppSec, security engineering, CISOs, and consultancies use it

BSIMM reads differently depending on which side of the programme you sit on. The comparative dimension makes it leadership-friendly; the activity catalogue makes it practitioner-friendly; the annual cadence makes it programme-friendly.

The persona-specific entry points are SecPortal for application security program leads (the canonical owner of an annual BSIMM measurement cycle and the per-application verification level mapping that sits underneath it), SecPortal for AppSec teams, SecPortal for security engineering teams, SecPortal for CISOs, and SecPortal for security program managers. Each anchors a different view of the same BSIMM measurement record.

The annual cycle: scope, observe, score, compare, plan, re-measure

A BSIMM measurement is most useful when it is run as a structured annual cycle rather than a one-time engagement. The cycle has six steps: scope the practices the programme is in scope for, observe the activities the programme runs (with evidence per observation), score the activity count per practice, compare against the study-average and vertical-average positions, plan the activity additions for the next cycle, and re-measure the following year on a comparable basis. The deliverable is not the scorecard; the deliverable is the comparative position and the activity additions the programme commits to.

For translating activity-additions into structured remediation work that supports the Deployment (Vulnerability Management) and SSDL Touchpoints (Security Testing) practices, see the remediation tracking workflow, the vulnerability finding state lifecycle, and the vulnerability prioritisation framework, which together cover the closure mechanics that distinguish an Intelligence-only programme from one with mature Deployment practices.

Where SecPortal fits in a BSIMM measurement cycle

SecPortal is the operating layer for a BSIMM measurement cycle. The platform holds the scope, the per-activity evidence, the per-practice activity count, the comparative-position note, the next-cycle activity additions, and the re-measurement record on one engagement, so the measurement is a live record rather than a long email thread with attached spreadsheets. For consultancies running BSIMM-style assessments on behalf of multiple clients, the security consulting workspace bundles the measurement record with branded client portals, so each client sees their own live activity catalogue and comparative position rather than a frozen PDF.

Looking for the engagement workflow that supports the measurement record itself? The penetration testing use case and the DevSecOps scanning use case capture how SecPortal turns Deployment (Penetration Testing) and SSDL Touchpoints (Security Testing) evidence into structured records covering scope, scanner output, findings, retests, and the deliverable.

For programme-level context on how maturity measurements fit into the wider security delivery operating model, see the security workflow orchestration research, the vulnerability management programme maturity model, and the enterprise security program maturity guide, which together cover the operating-model thinking that turns a BSIMM measurement into a sustained programme rather than an annual exercise that ends with the slide deck.