The Building Security in Maturity Model as a Research Tool

The Building Security In Maturity Model (BSIMM) has been used successfully for years by the software security company Cigital to measure the software security maturity level of their clients. The BSIMM report and framework is released with a Creative Commons Attribution-ShareAlike license, which implies that it is freely available to anyone who wants to use it for whatever purpose, including self-assessment. The purpose of BSIMM is to quantify the software security activities performed in real software development projects in real organizations. The BSIMM framework consists of twelve practices organised into four domains; Governance, Intelligence, Secure Software Development Lifecycle (SSDL) Touchpoints, and Deployment. The BSIMM framework is based on the idea that there is a formally defined software security group (SSG), and the activities are centered around this group. The BSIMM Software Security Framework represents a comprehensive list of good practice software security activities which is a good foundation to build a software security program in a development organization.