BSIMM (noun) [Word Notes] - Hacking Humans

Summary4 min read

Podcast Summary: Hacking Humans - Episode on BSIMM

Podcast Information:

Title: Hacking Humans
Host/Author: N2K Networks
Description: Deception, influence, and social engineering in the world of cyber crime.
Episode: BSIMM (noun) [Word Notes]
Release Date: June 28, 2025

Introduction to BSIMM

In this episode of Hacking Humans, N2K Networks delves into the Building Security in Maturity Model (BSIMM), a pivotal framework in the realm of software security. BSIMM serves as a benchmark for organizations to assess and enhance their software security initiatives by providing a descriptive model based on real-world practices observed across various companies.

Understanding BSIMM: Definition and Purpose

Rick Howard introduces BSIMM by breaking down its acronym:

Building
Security
In
Maturity
Model

He explains that BSIMM is "a descriptive model that provides a baseline of observed software security initiatives and activities from a collection of volunteer software development shops." This model acts as a "measuring stick for software security," enabling developers to "compare and contrast their own initiative with the data about what other organizations are doing." [00:15]

Origin and Evolution of BSIMM

The concept of BSIMM was pioneered by Dr. Gary McGraw, a renowned figure in software security comparable to luminaries like Bruce Schneier and Jeff Moss. Dr. McGraw initiated the BSIMM project in March 2008 while serving as the CTO of Cigital, a software security firm. His goal was to create a scientific data collection effort that would culminate in a version one of BSIMM.

Unlike prescriptive models such as the Software Assurance Maturity Model (SAM), which outlines "what organizations should be doing" in terms of software security, BSIMM is descriptive, focusing on "what organizations are actually doing." [00:15]

Methodology: Data-Driven Model Building

A significant portion of the episode highlights the data-centric approach that distinguishes BSIMM. Gary McGraw emphasizes this methodology:

Gary McGraw [03:23]: "The idea was we're going to go gather data and we're going to take the data and then we're going to look at the data and then we're going to build a model to describe the data. I just said data, data, data, data, data. Right? Real data, take it all, build model."

He contrasts this with the traditional computer science approach, where theories are often developed first and then justified with data. Instead, BSIMM adopts the scientific norm of "a big old pile of data" leading to model creation, ensuring that the model is firmly grounded in actual industry practices.

Growth and Impact of BSIMM

Since its inception, BSIMM has grown significantly. In 2014, Synopsys acquired Cigital but continued to release annual BSIMM reports. By 2021, the BSIMM version 12 project expanded its scope, surveying 128 organizations and collecting data on 324 primary measurements from nearly 4,000 developers and 153,000 applications.

Key Findings from BSIMM Version 12

The 2021 BSIMM report highlights the top three observed software security activities:

Implementing Lifecycle Instrumentation: Defining governance frameworks to oversee software security throughout the development lifecycle.
Ensuring Host and Network Security Basics: Establishing foundational security measures to protect hosts and networks from potential threats.
Identifying PII Obligations: Recognizing and managing Personally Identifiable Information (PII) to comply with privacy regulations and protect user data.

Additionally, the report notes the increasing adoption of the Software Bill of Materials (SBoM) among the surveyed organizations. An SBoM provides a comprehensive list of components in software applications, enhancing transparency and facilitating vulnerability management.

The Role of BSIMM in Standardizing Security Practices

One of BSIMM's significant contributions is fostering a common vocabulary within the software security community. By aggregating and categorizing security initiatives from multiple organizations, BSIMM enables companies to benchmark their practices against industry standards and identify areas for improvement.

Conclusion

The episode provides a comprehensive overview of BSIMM, highlighting its foundational principles, methodological rigor, and practical impact on software security practices. By prioritizing data-driven insights and fostering collaboration among organizations, BSIMM continues to be an invaluable tool for enhancing software security maturity across the industry.

Notable Quote:

Gary McGraw [03:23]: "This is weird because computer science, the way we usually do it, is, well, I have a pet theory. So I'm going to build a big old system and then I'm going to try to justify it with a little bit of data. But in most sciences, it works the other way around."

Credits:

Wordnotes is written by Nyla Genoe
Executive Produced by Peter Kilpe
Edited by John Pettrick and Rick Howard
Sound Design and Original Music by Elliot Peltzman

Note: Advertisements, intros, outros, and non-content sections have been excluded to focus on the core material discussed in the episode.

Loading summary

Transcript4 lines

[00:02]
Gary McGraw
You're listening to the Cyberwire Network powered by N2K.
[00:15]
Rick Howard
The word is BSIM spelled B for building, S for security, I for in M for maturity and M for model Definition A descriptive model that provides a baseline of observed software security initiatives and activities from a collection of volunteer software development shops. Example Sentence the BSIM is primarily a measuring stick for software security, used by developers to compare and contrast their own initiative with the data about what other organizations are doing. Origin and context Dr. Gary McGraw is one of the early security thought leader founding fathers, probably on the same importance level as Bruce Schneier, Marcus Ranum, and Jeff Moss. His niche area of expertise is software security and he has written at least a dozen books on the subject from 1996 to 2018. In March of 2008, while working as the CTO of Cigital, a software security firm, he embarked on a scientific data collection project that eventually led to version one of the Building Security in Maturity Model, or bsim. The model is a descriptive model as opposed to a prescriptive model like sam, the Software Assurance Maturity Model. SAM tells you what organizations should be doing in terms of software security. BSIM tells you what organizations are actually doing in version one. McGraw and his digital team surveyed some 30 plus companies and simply collated initiatives and activities around software security. The initial model offered no judgments. The idea was to collect what the community was doing. For the first time. This model started to nudge the community into a common vocabulary. By 2014, Synopsys, another consulting firm, acquired Cigital and but still released a new BESIM report every year. In the 2021 report, the BSIM version 12 project surveyed some 128 organizations and collected data on 324 primary measurements from almost 4,000 developers and 153,000 applications. From the report, the top three activities observed 1 Implementing life cycle instrumentation in use to define governance 2 Ensure host and network security basics are in place and finally three Identify PII obligations. And the report does identify the use of a software bill of Materials, or SBoM, by many of the 128 participating organizations. Nerd Reference at the OWASP App Security USA conference in 2014, Gary describes what the BSIM is for.
[03:24]
Gary McGraw
The idea was we're going to go gather data and we're going to take the data and then we're going to look at the data and then we're going to build a model to describe the data. I just said data, data, data, data, data. Right? Real data, take it all, build model now this is weird because computer science, the way we usually do it, is, well, I have a pet theory. So I'm going to build a big old system and then I'm going to try to justify it with a little bit of data. But in most sciences, it works the other way around. I got a big old pile of data. Now I'm gonna try to model that data. That's what the BSIM was about.
[04:04]
Rick Howard
Wordnotes is written by Nyla Genoe, executive produced by Peter Kilpe, and edited by John Pettrick and me, Rick Howard. The mix, sound, design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.