My Journey with the BSIMM Framework: Lessons Learned and Success
February 12, 2024 | by William Lien
The Building Security In Maturity Model (BSIMM) is a powerful tool that organizations can use to assess the maturity of their software security initiatives. It’s not just a theoretical model—it’s based on the real-world practices of top companies. I was fortunate enough to be involved in leading our company’s BSIMM assessments in 2021 and 2022. Through these assessments, we saw measurable improvement in our approach to software security. In this blog post, I’ll share our experience with the BSIMM and offer tips for others leveraging this valuable framework.
Understanding the BSIMM
The BSIMM provides a data-driven view of what other organizations are doing when it comes to software security. It breaks down software security practices into 12 key areas
Governance
- Strategy & Metrics
- Compliance & Policy
- Training
Intelligence
- Attack Models
- Security Features & Design
- Standards & Requirements
SSDL Touchpoints
- Architecture Analysis
- Code Review
- Security Testing
Deployment
- Penetration Testing
- Software Environment
- Config Mgmnt / Vuln Mgmnt
The BSIMM helps you prioritize your software security efforts by showing you where you are today and where you could realistically be within a specific timeframe.
Our BSIMM Experience
When we started our first BSIMM assessment in 2021, we learned a lot about where we stood and quickly identified areas we could improve on. By conducting another BSIMM assessment in 2022, we were able to track our progress and celebrate our successes.
BSIMM Success Tips
If you’re thinking about using the BSIMM framework, here are a few tips to smooth the process:
- Gain Executive Buy-in: Support from executives is critical for driving improvement after identifying gaps with BSIMM.
- Be Patient: It takes time to build and nurture an effective software security program. Expect a journey, not an overnight result.
- Celebrate Your Wins: Software security progress can be incremental; it’s essential to recognize smaller successes along with major milestones.
Wrapping Up
Using the BSIMM framework, you can make concrete changes in your software security posture over time. The model doesn’t offer just a snapshot; it gives you a structured, measurable way to drive a successful and evolving software security initiative.
RELATED POSTS
View all