Blockchain & Cryptocurrency Glossary

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

  • search-icon Clear Definitions
  • search-icon Practical
  • search-icon Technical
  • search-icon Related Terms

BSIMM (Building Security In Maturity Model)

2 min read
Pronunciation
[bee-sim]
Analogy
Think of BSIMM as a detailed map and a measuring stick for a software development team's security practices. The map shows common paths (activities) that many other experienced teams (organizations) have taken to build secure software. The measuring stick helps the team see how their current security efforts compare to those on the map, identifying areas for improvement and growth.
Definition
BSIMM is a descriptive software security model based on real-world data from various organizations, which helps entities understand, measure, and improve their software security initiatives. It provides a set of best practices and activities observed in leading organizations, allowing others to compare and mature their own security programs.
Key Points Intro
BSIMM offers a data-driven approach to maturing software security initiatives by observing and codifying practices from a diverse group of organizations.
Key Points

Descriptive Model: Based on observed activities in real organizations, not prescriptive standards.

Maturity Measurement: Allows organizations to assess the maturity of their software security initiatives against a broad set of data.

Software Security Framework: Organizes activities into domains like Governance, Intelligence, SSDL Touchpoints, and Deployment.

Community and Data-Driven: Updated regularly based on new data from participating organizations, reflecting evolving practices.

Example
A blockchain development company aiming to enhance the security of its smart contract development lifecycle could use BSIMM to assess its current practices. By comparing its activities against BSIMM's framework (e.g., security testing, code review, threat modeling), the company can identify gaps and plan improvements, such as implementing more rigorous static analysis (SAST) tools or formalizing its incident response plan for smart contracts.
Technical Deep Dive
BSIMM (Building Security In Maturity Model) is a study of existing software security initiatives. It codifies 12 practices organized into four domains: Governance (e.g., Strategy & Metrics, Compliance & Policy), Intelligence (e.g., Attack Models, Security Intelligence), SSDL (Software Security Development Lifecycle) Touchpoints (e.g., Architecture Analysis, Code Review, Security Testing), and Deployment (e.g., Penetration Testing, Software Environment Hardening). BSIMM provides a common vocabulary and a detailed framework for evaluating and planning a software security initiative. It's not a how-to guide but rather a reflection of what successful organizations actually do. Data is collected through structured interviews and assessments.
Security Warning
While BSIMM provides valuable insights, simply adopting activities without understanding the context or having the necessary skills can be ineffective. It's a model for measurement and planning, not a checklist for instant security.
Caveat
BSIMM is a descriptive model, meaning it shows what others are doing, not necessarily what is best for every specific organization or for novel technologies like certain aspects of blockchain. The relevance of some activities might need careful interpretation for blockchain-specific challenges.

BSIMM (Building Security In Maturity Model) - Related Articles

No related articles for this term.