BSIMM
Annual empirical AppSec maturity model.
Definition
BSIMM14 structure: 4 domains (Governance, Intelligence, SSDL Touchpoints, Deployment) x 12 practices x ~130 activities. Reflects what top SSI organizations DO, not what they SHOULD do. Data collected via interviews + observations. Competes with OWASP SAMM (theoretical vs empirical BSIMM).
Origin
Cigital 2008 (Gary McGraw, Sammy Migues, Brian Chess), Synopsys acquisition 2016, Black Duck Software spin-off September 2024.
Usage
Reference for Fortune 500 CISOs and VP AppSec for benchmarking against industry top quartile practices.
Related terms
- OWASP SAMM — concurrent théorique.
- AppSec maturity — catégorie.
- Black Duck Software — opérateur 2024+.