|
1 | 1 |
|
2 | 2 | <img width="1536" height="706" alt="image" src="https://github.com/user-attachments/assets/443f820c-4127-4f98-9032-f94a4f9561e7" /> |
3 | 3 |
|
4 | | -Application Security Program |
| 4 | +## Application Security Program |
5 | 5 | The problem of a systematic approach to security has been solved quite some time ago. Microsoft has introduced the first security assurance program in 2004. Named Microsoft Security Development Lifecycle (MSDL), it was Microsoft’s response to reduce software maintenance costs and increase reliability of software concerning software security related bugs. Since then a number of security assurance initiatives have been launched, such as OpenSAMM, BSIMM, SAMM, SSE CMM, SafeCode, NIST SSDF, etc. Unfortunately, up till now, most of them never really got any grip in the community. The main reasons are that they are not simple and challenging to introduce to large organizations. Small organizations have a lower risk exposure and the management typically isn’t really aware of the problem until it’s too late. |
6 | 6 |
|
7 | 7 | Here is the really good and bad news (depending where you are coming from). More regulatory pressure is on its way to mandate the use of an application security program for organizations. Memorandum M-22-18 mandates all US Federal agency suppliers to conform to NIST SSDF. The Cyber Resilience Act in Europe will be enforced in 2026 for all products with digital elements requiring a systematic approach to security. Furthermore, leading security-minded organizations are starting to set the bar higher for the rest. |
8 | 8 |
|
9 | | -Building Security In Maturity Model (BSIMM) |
| 9 | +## Building Security In Maturity Model (BSIMM) |
10 | 10 | BSIMM is a maturity model that helps organizations plan, implement and measure their software security assurance program. BSIMM consists of 4 domains split in 12 practices and containing a total of 125 security activities. So think of pen testing, patching, monitoring tools and threat modeling as some of these 125 activities you could (but not always should) do in your application security program. Here is a structural overview of the BSIMM13 domains and practices. |
11 | 11 |
|
| 12 | +_BSIMM is not only the framework, but is also a measuring stick in the industry. BSIMM comes with an objective assessment of the different activities in 130 organizations from 8 industry verticals (financial services, independent software vendors, technology, healthcare, cloud, Internet of Things, insurance, and retail)._ |
12 | 13 |
|
13 | | -BSIMM is not only the framework, but is also a measuring stick in the industry. BSIMM comes with an objective assessment of the different activities in 130 organizations from 8 industry verticals (financial services, independent software vendors, technology, healthcare, cloud, Internet of Things, insurance, and retail). |
14 | | - |
| 14 | +------- |
15 | 15 | # The Building Security In Maturity Model (BSIMM) |
16 | 16 | **A Practical Implementation Guide & Reference** |
17 | 17 |
|
@@ -40,5 +40,21 @@ This document is a concise, action-oriented reference guide for implementing the |
40 | 40 | <img src="https://github.com/user-attachments/assets/114e483a-6398-48ed-9cee-13befa789490" /> |
41 | 41 | </p> |
42 | 42 |
|
| 43 | +------- |
| 44 | +# BSIMM (Building Security In Maturity Model) Framework Checklist |
| 45 | +**Version:** 1.0 |
| 46 | +**Author:** Ivan Piskunov |
| 47 | +**Date:** August 30, 2025 |
| 48 | +**BSIMM Version:** BSIMM15 (2025) |
| 49 | + |
| 50 | +## Document Preface |
| 51 | +This checklist provides a structured overview of key activities and practices from the Building Security In Maturity Model (BSIMM) framework. It is designed to help security professionals, development teams, and program leads quickly reference and implement BSIMM's data-driven software security practices based on real-world observations from hundreds of organizations . |
| 52 | + |
| 53 | +**Intended Audience:** AppSec Engineers, DevSecOps Teams, Security Champions, Team Leads, CISOs, BISOs. |
| 54 | +**Official Reference:** [BSIMM Website](https://www.bsimm.com/) |
| 55 | + |
| 56 | +**Disclaimer:** This checklist is derived from public BSIMM materials and is not an official Synopsys product. It represents a condensed reference guide based on published BSIMM content. For official assessments and detailed guidance, please contact Synopsys or authorized partners. |
| 57 | + |
| 58 | +<img width="1316" height="919" alt="image" src="https://github.com/user-attachments/assets/fcf48976-af0a-4941-a6e6-0cfaaeba6724" /> |
43 | 59 |
|
44 | 60 |
|
0 commit comments