Security Experts:

BSIMM-V Examines Software Security Practices of 270,000 Developers

Cigital on Wednesday announced the fifth major release of the of the Building Security In Maturity Model (BSIMM) study, which collected data from 67 security initiatives at organizations around the world.

Announced to coincide with the RSA Europe conference taking place this week in Amsterdam, BSIMM-V was built in collaboration with HP and helps organizations understand, measure, and plan their software security initiatives by serving as a measurement tool built on real-world data.

According to Cigital, BSIMM-V incorporates eighteen times the measurement data of the original study in 2008 and reports on one new activity - operating a bug bounty program -bringing the total activity count to 112.


The data described by the BSIMM-V model was captured through observation by Cigital and HP Fortify.

The multi-year software security study is based on measurement of enterprises across a range of verticals including: Adobe, Aetna, Bank of America, Box, Capital One, Comerica Bank, EMC, Epsilon, F-Secure, Fannie Mae, Fidelity, Goldman Sachs, HSBC, Intel, Intuit, JPMorgan Chase & Co., Lender Processing Services Inc., Marks and Spencer, Mashery, McAfee, McKesson, Microsoft, NetSuite, Neustar, Nokia, Nokia Siemens Networks, PayPal, Pearson Learning Technologies, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, TomTom, Vanguard, Visa, VMware, Wells Fargo, and Zynga.

According the most recent study, leading firms on average employ one full-time software security specialist for every 71 developers.

"The BSIMM Project started as a simple data driven science project and has evolved into the world's premier measurement tool for software security," Dr. Gary McGraw, CTO of Cigital said in a statement. "With BSIMM-V, we have significantly expanded the data set again and are now confident that we can measure any firm worldwide with the same measuring stick. If you wonder how your firm's software security practices stack up, we can tell you."

"Adversaries are collaborating and focusing their attacks overwhelmingly on the software layer," said Jacob West, chief technology officer, Enterprise Security Products, HP. "To combat this market-based adversary, organizations must take a more scientific approach to software security, leveraging BSIMM-V to measure their own maturity and collaborating with peers to create more secure software industry-wide."

In total, BSIMM-V describes the work of 975 software security professionals working with a development-based satellite of 1,953 people to secure the software developed by 272,358 developers.

"The BSIMM is an instrumental tool to determine the maturity and effectiveness of an organization's software security activities and we use it to measure the progress in improving software security year over year," said Jim Routh, Chief Information Security Officer of Aetna and founding board member of BSIMM, who has personally led five software security initiatives in five different firms.

More information and free access to the BSIMM-V study can be found here

Related Resource: How Secure Is Your Code? Scan, Assess and Find out Now…

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.