Check your organization’s DevSecOps against 11th edition of BSIMM

more code on screen

Editor’s brief: If you are running DevOps at your organization, the imperative is to ensure both software quality and security at the same time, especially against today’s world of threat actors that intrude on every node, sofware or system. The 11th edition of BSIMM (Building Security In Maturity Model), or BSIMM11, reflects a topography of 130 companies from industries such as financial services, fintech, ISVs, cloud, healthcare, IoT, and retail. Read more below.

SINGAPORE Synopsys, Inc. (Nasdaq: SNPS) today published BSIMM11, the latest version of the Building Security In Maturity Model (BSIMM), created to help organisations plan, execute, measure, and improve their software security initiatives (SSIs). The 130 companies that made up BSIMM11 represent a wide range of business sectors, including banking, FinTech, ISVs, the cloud, healthcare, the Internet of Things, insurance, and retail. There are 8,457 software security experts who direct the activities of nearly 490,000 engineers, and their role is described in BSIMM11.

Organizations utilize BSIMM to benchmark their own efforts against those of the BSIMM community as a whole. Many companies, as evidenced by BSIMM11, are modifying their software security initiatives to facilitate digital transformation and contemporary software development paradigms like DevOps.

“The BSIMM is an excellent resource for security leaders interested in learning from the collective experiences of their peers, particularly to solve new or emerging challenges,” said Mike Newborn, CISO of Navy Federal Credit Union, a member organisation of the BSIMM community. “Today, most organisations face the challenge of securing a growing portfolio of applications against the backdrop of rapidly evolving and accelerating software development practices. BSIMM11 reflects how many of these organisations are adapting their software security strategies to protect themselves and their customers without stifling innovation or impeding the speed of development.”

Emerging trends in BSIMM11

  • Engineering-led software security efforts are successfully contributing to DevOps value streams in pursuit of resiliency. BSIMM11 shows that CI/CD instrumentation and operations orchestration have become standard components of many organisations’ software security initiatives, and are influencing how they are organised, designed, and executed. For example, software security teams increasingly report into a technology group or CTO (as opposed to an IT security team or CISO) and are changing how they recruit and organise talent internally.
  • Software-defined security governance is no longer just aspirational. Organisations are replacing some high-friction, out-of-band security activities with automated activities triggered by events in the CI/CD pipeline execution. Converting human processes and decision-making to algorithms is one of the ways organisations are increasingly addressing resource constraints and cadence management problems. 
  • “Shift left” is becoming “shift everywhere.” The implementation of the “shift left” concept has evolved from the literal interpretation of performing some security testing earlier in the development cycle to performing security activities as soon as the artifacts to be reviewed are available. That could mean to the left of where activities have historically been performed, but often, it’s to the right, including in production.
  • Introduction of FinTech vertical to BSIMM data pool. Upon carefully reviewing the growing data pool of firms in the financial vertical, it became apparent that there was a need to add a separate vertical to account for firms that are effectively ISVs specifically for financial services software.

“The way modern software is built and deployed has transformed dramatically over the past few years, so naturally the efforts required to secure that software are changing as well,” said Michael Ware, BSIMM co-author and senior director of technology at Synopsys. “Businesses are critically dependent on software, and modern methodologies have accelerated the speed of development. As a result, there is more software everywhere, and we still need to worry about all the pre-existing software. As a model that constantly evolves to represent the actual practices in use by hundreds of software security groups around the world—including some of the most advanced teams in the world—the BSIMM provides a near-real-time view into how these changes are being implemented to protect the growing software portfolios.”

New activities in the BSIMM represent a shift toward DevSecOps

Extensive development was seen in the three new BSIMM10 activities throughout the past year (SM3.4 Integrate software-defined lifecycle governance, AM3.3 Monitor automated asset creation, CMVM3.5 Automate verification of operational infrastructure security). This exemplifies how some organizations are making strides to quicken software security operations in order to keep up with the rate at which new software is released. The two new events for BSIMM11 are more evidence of this development (ST3.6 Implementing event-driven security testing, CMVM3.6 Publishing risk data for deployable artifacts).

BSIMM across industries

The BSIMM is a one-of-a-kind, data-driven tool for assessing software security activities in a wide range of sectors and revealing their relative strengths and shortcomings. The BSIMM11 data pool is most developed in the areas of cloud computing, the Internet of Things, and advanced technology companies. Financial services, healthcare, and insurance are all heavily regulated, but BSIMM11 also draws attention to their distinctions. The financial sector, which established software security groups ahead of other sectors like healthcare and insurance, was thought to have more developed processes. The BSIMM publishes data on the FinTech industry for the first time, and the results show that it follows a similar path to the financial services industry, with the biggest differences (in favor of FinTech) coming in training, security testing, and code review procedures.

Read the BSIMM11 Digest or download the full BSIMM11 study.


Sammy Migues, principal scientist at Synopsys, Michael Ware, senior director of technology at Synopsys, and John Steven, Founding Principal at Aedify Security, authored BSIMM11 after analyzing data collected over nearly 12 years of software security research. Some of the companies participating in the BSIMM study include: Adobe, Aetna, Alibaba, Ally Bank, Autodesk, Axway, Bank of America, Bell, BMO Financial Group, Black Knight Financial Services, Box, Canadian Imperial Bank of Commerce, City National Bank, Cisco, Citigroup, Dahua, Depository Trust & Clearing Corporation, Eli Lilly, Equifax, Experian, F-Secure, Fannie Mae, Freddie Mac, General Electric, Genetec, Global Payments, HCA Healthcare, Highmark Health Solutions, Honeywell, Horizon Healthcare Services, HSBC, iPipeline, Johnson & Johnson, JPMorgan Chase & Co., Lenovo, MassMutual,  McKesson, Medtronic, Morningstar, Navient, Navy Federal Credit Union, NCR, NEC Platforms, NetApp, NewsCorp, NVIDIA, PayPal, Pegasystems, Principal Financial Group, Royal Bank of Canada, SambaSafety, ServiceNow, Synopsys, TD Ameritrade, The Home Depot, The Vanguard Group, Trainline, Trane, U.S. Bank, Veritas, Verizon, Verizon Media, Wells Fargo, and Zendesk.