Get to know BSIMM — a crowd-sourced guidebook for your journey to better software security

8 min readJan 14, 2025

If you’re in business, chances are about 100% that you’re a software business — you rely on it even if your product isn’t specifically a software product. Which means Building Security in Maturity Model (BSIMM) is not only a tool you should use, it’s also a club you should join.

Indeed, BSIMM, the subject of an annual report by software security company Black Duck now in its 15th iteration, is an example of that cliché about many hands making light work. In this case, it’s many brains (thousands) involved in software security initiatives (SSIs) that help to generate a guidebook on what works, or doesn’t, to build more-secure software. (Disclosure: I write for Black Duck.)

And a guidebook on how to make software secure is more than just nice to have. Today, it’s an existential necessity. Software runs just about everything in modern life, from critical infrastructure like energy, utilities, finance, healthcare, and transportation, to personal services like vehicles, home security, entertainment, and communication.

That has brought benefits to modern life that were unimaginable just a generation ago but also made it much more risky. Today, hostile nation states don’t have to drop bombs to disable infrastructure, and criminals don’t have to break into your house to rob you — they just have to exploit flaws in the software that runs it all.

So the obvious goal for law-abiding organizations and individuals is to reap the pleasure and prevent the pain. And how to do that better is the goal of the BSIMM report. As the report’s authors have put it for years, BSIMM isn’t prescriptive — it doesn’t tell you what you must do. It’s descriptive — it documents what others are doing.

In this year’s report, those others are 121 participating organizations across eight industry verticals. You could think of it as crowd-sourcing security, with the result a bit like a road map — your colleagues and competitors in your industry showing more than one way to a destination so you can use the route that best matches the specific characteristics, needs, and budget of your organization.

Each annual BSIMM report “is the result of studying real-world SSIs, which many organizations refer to as their application or product security program or as their DevSecOps effort. Each year, firms in different industry verticals use BSIMM to create a software security scorecard for their programs that they then use to inform their SSI improvements,” according to the report.

That anonymized data collection from participants allows the BSIMM report to detail “security program changes across people, process, technology, culture, compliance, digital transformation, and much more.” And since many SSIs use different methods and terms, the BSIMM creates a common vocabulary that everyone can use.

Granular detail

The entire report takes some time to digest, but it moves from the general to the specific, which helps organizations focus on what is most relevant to them. Early on, it notes major trends that are either new or continuing to increase or decrease. Then it documents what is driving those trends — evolving threats or technological advances — by showing what organizations or industries are doing more, less, or differently.

The specifics are presented in granular detail on initiatives ranging from automation to artificial intelligence (AI) to supply chain security tools like Software Bills of Materials (SBOMs), and much more.

The structure, or so-called “skeleton” of the report contains 128 security activities organized under 12 practices that are in turn grouped under four domains.

As noted, the report doesn’t dictate which of those activities your organization should implement to improve its software security. But if everybody in your industry sector is doing something that yields good results, that’s a strong indication that you ought to be doing it too.

The eight industry verticals covered by BSIMM15 are the cloud, financial services, financial technology, healthcare, independent software vendors, insurance, Internet of Things (IoT), and technology.

BSIMM participants include about 3,500 software security group (SSG) members and 7,400 security champions — developers, cloud security engineers, deployment engineers, architects, software managers, testers, or people in similar roles who are interested in software security and contribute to the security posture of the organization.

Collectively, the report relies on data from about 11,100 security professionals helping about 270,000 developers build security into about 96,000 applications.

The primary reason for an annual report is that software security is never static — it is always changing in response to the evolution of technology and threats. This past year, as expected, one of the major trends was the massive expansion of the use of AI, both by those trying to build better security into their software and those trying to find weaknesses in it to exploit.

In an announcement about the report, Jason Schmitt, CEO of Black Duck, spoke to that trend, noting that “over the past year, AI has gone mainstream across organizations of all sizes, bringing both opportunities and new risks.”

And as the report puts it, “The artificial intelligence/machine learning and large language model (LLM) releases of the past few years are both exciting and terrifying for security professionals: exciting because new LLMs can perform many security tasks that were exclusively human, and terrifying because they can also perform many hacking tasks that were exclusively human.”

“On a technical level, LLMs represent a new attack surface with a new class of vulnerabilities and security requirements that the industry is still figuring out in real time,” the report adds, noting that with LLMs evolving from text and chat to images, and more recently desktop productivity, it is going to take collaboration of multiple teams — developers, security, operations, IT, and communication to “stay ahead of the innovation curve.”

Here are several other significant trends observed by BSIMM researchers were

Compliance with government regulations

While the federal government generally doesn’t issue blanket security mandates to software makers, it has become increasingly aggressive and specific about what software vendors must do if they want to sell their products to the government. One of those mandates is self-attestation, which means that vendors are required to swear in writing that a product complies with a prescribed set of security standards. Attestation is a component of a cybersecurity strategy document from the Biden administration labeled “acquisition reform.”

Another mandate is that software products sold to the government must come with an SBOM, a full inventory of the components in a product, who made each one, what version it is, and any other unique identifiers. This helps improve security in software supply chains.

Not surprisingly, the report found significant increases in those practices. After all, government is one of the biggest buyers of technology in the country.

Secure innovation

Technology evolves so quickly that new ways to do things get adopted before the industry reaches consensus on best practices. So companies with mature SSIs have been working to develop new attack methods and adversarial tests to mimic the latest tricks of the bad guys.

Continued evolution of “shift everywhere”

This is basically a trend from good to better. More than a decade ago, the exhortation at every security conference was to “shift left,” which meant to start testing code early in software development instead of waiting until the end, when it takes much more time and money to fix defects. That was an improvement, but also insufficient and misleading. The BSIMM report authors began noting several years ago that “shift left” was never intended to mean shift only left, but to conduct security control activities anywhere in the development cycle, as soon as the artifacts on which that activity depends are available. The good news is that an increasing percentage of organizations have gotten the message.

Automate, automate

This is another necessary shift from good to better. Automated software testing tools have been around for a long time, but it is now possible, and increasingly popular, to use automation to govern the development lifecycle. The activity “integrate software-defined lifecycle governance” is still a long way from mainstream at only 9.1% of the participating firms. But that was a 48% increase from the previous year.

Quality control

Most software products today are primarily assembled rather than written from scratch. Another Black Duck annual report, the “2025 Open Source Security and Risk Analysis” report, scheduled for release in late February, finds that virtually all software products contain third-party or open source software components, and that they make up an average of 70% of all codebases..

And given the escalating risks from using software that is not secure, organizations are demanding that vendors make it more secure. One of several examples is that the percentage of firms requiring software security service-level agreements in all vendor contracts increased from 36.9% to 49.6% over the past four years.

Awareness? What awareness?

One of the most ominous trends observed over the life of the BSIMM report is the decline in software security awareness training. When the BSIMM report began, 100% of the nine participating companies reported conducting awareness training. Over the next 14 years, that has dropped to barely more than 50%.

One reason cited is budget — if training is going on, employees aren’t doing work that directly generates revenue. Another is the delusion that if training was done at some point, it doesn’t need to be done again.

According to the report, “… this is a dangerous trap.” It also notes that “staffing changes all the time, and if there are no consistent efforts made, there is no guarantee engineers have ever received the needed training.”

***

There is much more detail in the BSIMM15 report that is well worth the read. As Schmitt put it, “prioritizing security in the face of emerging technologies — especially rapidly evolving fields like AI — has never been more critical or challenging. BSIMM15 offers valuable insights into how organizations are navigating these hurdles and can serve as a guide for others looking to innovate securely and build trust in their software.”

Progress on building more-secure software won’t happen overnight, of course. One of the core messages of the report since its beginning is that security is a journey, not an event. It doesn’t happen by flipping a switch or pressing a button. Still, a journey also presumes making progress toward a destination. And seeing what BSIMM participants are doing can help you start on that journey and get to the destination you want and need faster.

There’s no need to lay down some cash to start the journey either. The complete report is free, available under the Creative Commons Attribution-ShareAlike 3.0 license. So one of the best, most affordable resolutions you can make for 2025 is to add BSIMM15 to your reading list.