Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

BSIMM-V Examines Software Security Practices of 270,000 Developers

Cigital on Wednesday announced the fifth major release of the of the Building Security In Maturity Model (BSIMM) study, which collected data from 67 security initiatives at organizations around the world.

Cigital on Wednesday announced the fifth major release of the of the Building Security In Maturity Model (BSIMM) study, which collected data from 67 security initiatives at organizations around the world.

Announced to coincide with the RSA Europe conference taking place this week in Amsterdam, BSIMM-V was built in collaboration with HP and helps organizations understand, measure, and plan their software security initiatives by serving as a measurement tool built on real-world data.

According to Cigital, BSIMM-V incorporates eighteen times the measurement data of the original study in 2008 and reports on one new activity – operating a bug bounty program -bringing the total activity count to 112.


The data described by the BSIMM-V model was captured through observation by Cigital and HP Fortify.

The multi-year software security study is based on measurement of enterprises across a range of verticals including: Adobe, Aetna, Bank of America, Box, Capital One, Comerica Bank, EMC, Epsilon, F-Secure, Fannie Mae, Fidelity, Goldman Sachs, HSBC, Intel, Intuit, JPMorgan Chase & Co., Lender Processing Services Inc., Marks and Spencer, Mashery, McAfee, McKesson, Microsoft, NetSuite, Neustar, Nokia, Nokia Siemens Networks, PayPal, Pearson Learning Technologies, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, TomTom, Vanguard, Visa, VMware, Wells Fargo, and Zynga.

According the most recent study, leading firms on average employ one full-time software security specialist for every 71 developers.

“The BSIMM Project started as a simple data driven science project and has evolved into the world’s premier measurement tool for software security,” Dr. Gary McGraw, CTO of Cigital said in a statement. “With BSIMM-V, we have significantly expanded the data set again and are now confident that we can measure any firm worldwide with the same measuring stick. If you wonder how your firm’s software security practices stack up, we can tell you.”

“Adversaries are collaborating and focusing their attacks overwhelmingly on the software layer,” said Jacob West, chief technology officer, Enterprise Security Products, HP. “To combat this market-based adversary, organizations must take a more scientific approach to software security, leveraging BSIMM-V to measure their own maturity and collaborating with peers to create more secure software industry-wide.”

In total, BSIMM-V describes the work of 975 software security professionals working with a development-based satellite of 1,953 people to secure the software developed by 272,358 developers.

“The BSIMM is an instrumental tool to determine the maturity and effectiveness of an organization’s software security activities and we use it to measure the progress in improving software security year over year,” said Jim Routh, Chief Information Security Officer of Aetna and founding board member of BSIMM, who has personally led five software security initiatives in five different firms.

More information and free access to the BSIMM-V study can be found here

Related Resource: How Secure Is Your Code? Scan, Assess and Find out Now…

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...