abstract:BSIMM (pronounced “bee simm”) is short for Building Security In Maturity Model and was originally developed in 2009 through a collaboration between Cigital and Fortify Software experts, and used data from nine companies including Adobe, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. While there a number of ways to structure a software security program, the BSIMM aims to find the common ground across all software security initiatives so companies can determine where they stand with their software security initiative and how to evolve their efforts over time.