SOURCE: Cigital, Inc.

Cigital, Inc.

October 30, 2013 03:00 ET

BSIMM-V Release Expands Premier Measurement Tool for Software Security

Cigital and HP Collaborate to Study Software Security Practices of Nearly 70 Organizations and More Than 270,000 Software Developers

AMSTERDAM, THE NETHERLANDS--(Marketwired - Oct 30, 2013) -  Cigital, Inc. today announced the fifth major release of the Building Security In Maturity Model (BSIMM), the industry's first and only software security measurement tool built on real-world data. Built in collaboration with HP, BSIMM-V helps organizations understand, measure, and plan their software security initiatives. Originally launched in 2008, the BSIMM data set has grown over 75 percent since the fourth release in 2012, and now describes the software security initiatives of 67 organizations, up from 51. Unlike software security methodologies based unproven theories and hunches, BSIMM-V is built on data directly observed in the field. BSIMM-V encompasses eighteen times the measurement data of the original study and reports on one new activity, bringing the total activity count to 112.

The multi-year software security study is based on in-depth measurement of leading enterprises in a number of verticals including: Adobe, Aetna, Bank of America, Box, Capital One, Comerica Bank, EMC, Epsilon, F-Secure, Fannie Mae, Fidelity, Goldman Sachs, HSBC, Intel, Intuit, JPMorgan Chase & Co., Lender Processing Services Inc., Marks and Spencer, Mashery, McAfee, McKesson, Microsoft, NetSuite, Neustar, Nokia, Nokia Siemens Networks, PayPal, Pearson Learning Technologies, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, TomTom, Vanguard, Visa, VMware, Wells Fargo, and Zynga.

"The BSIMM Project started as a simple data driven science project and has evolved into the world's premier measurement tool for software security," said Dr. Gary McGraw, CTO of Cigital and author of Software Security. "With BSIMM-V, we have significantly expanded the data set again and are now confident that we can measure any firm worldwide with the same measuring stick. If you wonder how your firm's software security practices stack up, we can tell you."

Using the BSIMM measurement tool, Dr. Gary McGraw, CTO at Cigital; Jacob West, CTO, Enterprise Security Products at HP; and Sammy Migues, Principal at Cigital, conducted a series of in-person interviews with executives in charge of their organization's software security initiatives to collect data for BSIMM-V. For the second time in the history of the BSIMM project, a new activity was observed in addition to the original 111, resulting in the addition of one new activity to the model going forward: operate a bug bounty program. All data described by the model are captured through direct observation by Cigital and HP Fortify.

"Adversaries are collaborating and focusing their attacks overwhelmingly on the software layer," said Jacob West, chief technology officer, Enterprise Security Products, HP. "To combat this market-based adversary, organizations must take a more scientific approach to software security, leveraging BSIMM-V to measure their own maturity and collaborating with peers to create more secure software industry-wide."

Additional highlights from BSIMM-V:

  • The BSIMM-V data set encompasses 161 distinct measurements (some firms measured multiple times, some firms with multiple divisions measured separately and rolled into one firm score).
  • BSIMM-V shows that leading firms on average employ one full-time software security specialist for every 71 developers.
  • BSIMM-V describes the work of 975 software security professionals working with a development-based satellite of 1,953 people to secure the software developed by 272,358 developers.

The sixty-seven firms participating in the BSIMM project make up the BSIMM Community which hosts a private mailing list and an annual conference where representatives gather together in an off-the-record forum to discuss day-to-day administration of software security initiatives. The BSIMM Europe Community will be hosting the official BSIMM-V Launch in Amsterdam on October 30, 2013. This year's BSIMM Community Conference will be hosted near Washington, D.C. November 12 - 14, 2013.

"The BSIMM is an instrumental tool to determine the maturity and effectiveness of an organization's software security activities and we use it to measure the progress in improving software security year over year," said Jim Routh, Chief Information Security Officer of Aetna and founding board member of BSIMM, who has personally led five software security initiatives in five different firms.

For more information and to access the BSIMM-V study, which is distributed free of charge under a Creative Commons license, please visit:


The Building Security in Maturity Model (BSIMM) is a critical tool for measuring and evaluating how well real firms build secure software. A data-driven model and measurement tool developed through the careful study and analysis of software security initiatives, BSIMM includes real-world data from nearly 70 organizations with active software security initiatives. The model includes a framework based on successful software security practices, and can help guide an organization objectively assess of its own security investments, both present and future. For more information, please visit

About Cigital

Cigital, Inc. is the world's leading software security services and solutions company. Cigital helps public and private organizations launch and mature software security initiatives, as well as design, build, test, and maintain secure software through a combination of expert consultants, innovative technologies, and effective training built on over twenty years of cutting-edge research and successful client engagements. Cigital is headquartered outside Washington, D.C. with regional offices throughout North America, Europe, and Southeast Asia. For more information visit: