BSIMM16 Report

Building Security in Maturity Model (BSIMM) is the industry’s most comprehensive framework for measuring and benchmarking software security programs. It is a descriptive model that depicts real-world practices from organizations implementing successful software security initiatives (SSIs). Rather than a prescriptive, one-size-fits-all approach, BSIMM enables organizations to assess their current maturity level and compare it to organizations that have successfully built and evolved their software security programs. Organizations use BSIMM throughout their security journey—whether they’re establishing a new SSI from scratch or evolving mature programs to address emerging threats and technologies. The model provides a common vocabulary and methodology that facilitates communication with executives, board members, customers, partners, and regulators, and demonstrates concrete progress in securing the software development life cycle (SDLC). By grounding security strategy in observable, proven practices rather than theoretical “best practices,” BSIMM delivers actionable insights that drive meaningful improvements in your organization’s software security posture.

A BSIMM assessment is a structured evaluation process that measures your software security program against the BSIMM framework’s 128 activities, providing comprehensive insights into your organization’s security maturity. The assessment process systematically examines your current security practices across all four BSIMM domains—Governance, Intelligence, SSDL Touchpoints, and Deployment—to create a detailed profile of your software security initiative.

The assessment begins with in-depth interviews by BSIMM consultants with key stakeholders across your organization. These interviews explore the specific activities your organization performs, how they’re implemented, their effectiveness, and the resources dedicated to them. The assessment then examines documentation, reviews processes, and validates claims to ensure an accurate representation of your security posture. Throughout the evaluation, assessors map your activities to the BSIMM framework’s maturity levels. The assessment delivers a comprehensive scorecard showing which of the 128 activities your organization currently performs, your maturity level within each of the 12 practices, and how you compare against the broader BSIMM community. Following the assessment, you receive actionable recommendations prioritized based on your organization’s risk profile, business objectives, and available resources.

BSIMM and OWASP Software Assurance Maturity Model (SAMM) are complementary frameworks that serve different purposes in the software security landscape. The fundamental difference lies in their philosophical approaches. BSIMM is a descriptive model based on observed practices from real organizations, and currently includes data from 111 participants across multiple industries. OWASP SAMM is a prescriptive framework developed by security experts who define what organizations should do to achieve software security maturity. SAMM provides structured guidance with specific maturity levels and improvement roadmaps, and offers a directive approach to building security programs.

BSIMM’s strength lies in its extensive real-world dataset and comparative benchmarking capabilities. With 128 activities across 12 practices and four domains, BSIMM enables you to see precisely where you stand relative to industry peers, understand which practices are most commonly adopted, and identify emerging trends in software security. This data-driven perspective is vital for justifying investments to executives, demonstrating compliance to regulators, and making strategic decisions grounded in market reality.

A software security initiative (SSI) is an organized, strategic application security (AppSec) program that systematically builds security into your organization’s software development life cycle. Unlike reactive security measures that address vulnerabilities after deployment, an SSI proactively integrates security practices throughout design, development, testing, and operational phases, creating a comprehensive defense-in-depth approach to software security. An SSI typically centers around a software security group (SSG)—a team of dedicated security professionals who provide expertise, create security standards, develop training programs, and coordinate security activities across development teams.

Effective SSIs, however, extend beyond the SSG, incorporating security champions embedded within engineering teams, automated security tools integrated into development pipelines, and security practices woven into organizational culture and processes. The BSIMM framework specifically measures and benchmarks SSIs, providing a roadmap for building or improving your AppSec program. By documenting the activities that successful organizations actually perform in their SSIs, BSIMM helps you identify what practices to prioritize, how to structure your security organization, where to invest your resources, and how to demonstrate progress.

BSIMM serves organizations across industry verticals, each with its unique security challenges, regulatory requirements, and risk profiles in its software security initiatives. This diversity demonstrates the framework’s versatility and relevance regardless of sector, while industry-specific benchmarking helps you compare your security posture against the most relevant peer organizations.

Financial services is one of the largest BSIMM-participating verticals, reflecting this sector’s sophisticated security requirements driven by stringent regulations, high-value data protection needs, and advanced threat landscapes. Banks, insurance companies, payment processors, and investment firms use BSIMM to demonstrate security maturity to regulators, assess risk from third-party software vendors, and benchmark their programs against industry leaders.

Healthcare organizations leverage BSIMM as they navigate complex regulations such as HIPAA, protect sensitive patient data, and secure increasingly software-driven medical devices and health information systems.

Technical companies, including cloud service providers and software-as-a-service organizations, extensively adopt BSIMM to ensure their products meet customer security expectations and industry standards.

Independent software vendors use BSIMM to build credibility with enterprise customers that demand robust security practices from their software suppliers.

Retail organizations—particularly those processing payment card data and managing customer information at scale—use BSIMM to enhance their software security alongside PCI DSS compliance programs.

Other participating verticals include insurance, consumer goods, media, education, telecommunications, and manufacturing. Each adopts BSIMM practices to their specific security contexts. The BSIMM16 report provides data from organizations ranging from Fortune 500 enterprises with extensive resources to midmarket companies building their first formal SSIs.

BSIMM serves as a powerful complement to compliance programs, though it’s important to understand both its strengths and limitations in regulatory contexts. Organizations successfully leverage BSIMM for compliance-adjacent purposes while recognizing it doesn’t directly map to specific regulatory requirements.

BSIMM’s value for compliance lies in demonstrating security program maturity and systematic risk management approaches that regulators, auditors, and compliance teams increasingly demand. BSIMM provides objective evidence that your organization implements comprehensive security controls throughout the SDLC, maintains documented processes, and continuously improves security capabilities.

Organizations operating in regulated industries frequently use BSIMM alongside specific compliance frameworks, rather than as direct substitutes. For example, financial services firms might maintain compliance with regulations like GLBA, PCI DSS, or FFIEC guidelines while using BSIMM to benchmark their broader software security program maturity. Healthcare organizations comply with HIPAA requirements while leveraging BSIMM to optimize their security development practices beyond minimum compliance thresholds.

BSIMM’s Compliance and Policy practice specifically includes activities relevant to regulatory environments, such as unifying regulatory pressures, identifying privacy obligations, creating policies, implementing and tracking compliance controls, and ensuring executive awareness of compliance requirements. Regulators and auditors increasingly recognize BSIMM’s legitimacy, particularly in sectors where software security significantly impacts overall risk posture.

The strongest compliance strategy combines meeting specific regulatory requirements with demonstrating broader security maturity through frameworks like BSIMM. This approach satisfies immediate compliance obligations while building resilient security capabilities that protect your organization against evolving threats and provide competitive advantages in security-conscious markets.