New BSIMM7 Findings Show Increasing Demand For Security Processes In Software Development

By   ISBuzz Team
Writer , Information Security Buzz | Oct 05, 2016 01:15 pm PST

The Latest Release of the Building Security In Maturity Model Adds New Companies and Application Container Measurement to the Secure Security Process

 Dulles, VA. Cigital Inc., the industry leader in software security solutions, today released BSIMM7, the latest version of the industry’s first and only software security measurement tool built on real-world data reflecting the current state of software security. This year’s iteration of the annual report shows that software security is becoming mainstream and organisations across all industries are now deploying software security initiatives to address ongoing software security challenges. The BSIMM facilitates building security in by assessing, comparing and contrasting software security initiatives with others in the industry.

This year, BSIMM7 grew to include the largest number of participating companies in its eight-year history, and notably marks the addition of a BSIMM activity to address application containers and the growing use of the Cloud as part of the secure development process. The study shows that the average Software Security Group (SSG) age continues to decline, demonstrating that firms are integrating BSIMM earlier into their software security initiatives. With the emergence of IoT and the spread of software across different spectrums of the enterprise, BSIMM7 shows that software security is becoming a major component of day-to-day operations.

“Software is influencing more and more of our daily lives as consumers, professionals and humans embrace a digital experience,” said Jim Routh, CSO, Aetna. “Leading organisations that use BSIMM to benchmark their software security resiliency practices have a significant competitive advantage in the marketplace.”

New verticals added to BSIMM7 include Internet of Things (IoT) and insurance, which deepens the BSIMM data set and provides an essential view of the value of software security as the security industry changes. Although the expanded healthcare vertical includes some mature outliers, the data shows that healthcare continues to lag behind in software security, similar to the BSIMM6 analysis. BSIMM7’s expanded dataset included a greater number of firms with newer software security initiatives and verticals that have less software security experience. These industries consistently showed less maturity than cloud, financial services and independent software verticals.

“We’re proud of the growth of the BSIMM data set as it shows the continued evolution of the market as more organisations understand the need for effective processes to address software security concerns,” said Dr. Gary McGraw, CTO of Cigital. “We’re now seeing even more companies using the BSIMM strategically and inquiring about the latest data. By working with organisations we have first-hand insight into the challenges they’re facing and ways these problems can be solved. In addition, we were able to conduct a second set of interviews with several companies to identify how software security has changed over time.”

Dr. McGraw, along with Jacob West, chief architect at NetSuite, and Sammy Migues, principal at Cigital, analysed data collected during the past eight years of software security research. Cigital is grateful for the participation of companies including: Adobe, Aetna, ANDA, Autodesk, Axway, Bank of America, Betfair, BMO Financial Group, Black Knight Financial Services, Box, Capital One, Cisco, Citigroup, Citizen’s Bank, Comerica Bank, Cryptography Research, Depository Trust & Clearing Corporation, Elavon, Ellucian, EMC, Epsilon, Experian, F-Secure, Fannie Mae, Fidelity, Horizon Healthcare Services, Inc, HP Fortify, HSBC, iPipeline, JPMorgan Chase & Co., Lenovo, LGE, LinkedIn, Marks and Spencer, McKesson, Morningstar, Navient, NetApp, NetSuite, Neustar, Nokia, NVIDIA, NXP Semiconductors N.V., Principal Financial Group, Qualcomm, Royal Bank of Canada, Siemens, Sony Mobile, Splunk, Symantec, The Advisory Board, The Home Depot, The Vanguard Group, Trainline, U.S. Bank, Visa, Wells Fargo and Zephyr Health.

To download the report, visit


Started in 2008, the Building Security in Maturity Model (BSIMM) is a tool for measuring and evaluating software security initiatives. A data-driven model and measurement tool developed through the careful study and analysis of software security initiatives, BSIMM includes real-world data from over 100 organisations. The BSIMM is an open standard that includes a framework based on software security practices, which an organisation can use to assess its own efforts in software security.

[su_box title=”About Cigital” style=”noise” box_color=”#336588″][short_info id=’90796′ desc=”true” all=”false”][/su_box]

Recent Posts