New BSIMM7 Findings Show Increasing Demand for Security Processes in Software Development

The Latest Release of the Building Security In Maturity Model Adds New Companies and Application Container Measurement to the Secure Security Process

DULLES, Va.--()--Cigital Inc., the industry leader in software security solutions, today released BSIMM7, the latest version of the industry’s first and only software security measurement tool built on real-world data reflecting the current state of software security. This year’s iteration of the annual report shows that software security is becoming mainstream and organizations across all industries are now deploying software security initiatives to address ongoing software security challenges. The BSIMM facilitates building security in by assessing, comparing and contrasting software security initiatives with others in the industry.

This year, BSIMM7 grew to include the largest number of participating companies in its eight-year history, and notably marks the addition of a BSIMM activity to address application containers and the growing use of the Cloud as part of the secure development process. The study shows that the average Software Security Group (SSG) age continues to decline, demonstrating that firms are integrating BSIMM earlier into their software security initiatives. With the emergence of IoT and the spread of software across different spectrums of the enterprise, BSIMM7 shows that software security is becoming a major component of day-to-day operations.

“Software is influencing more and more of our daily lives as consumers, professionals and humans embrace a digital experience,” said Jim Routh, CSO, Aetna. “Leading organizations that use BSIMM to benchmark their software security resiliency practices have a significant competitive advantage in the marketplace.”

New verticals added to BSIMM7 include Internet of Things (IoT) and insurance, which deepens the BSIMM data set and provides an essential view of the value of software security as the security industry changes. Although the expanded healthcare vertical includes some mature outliers, the data shows that healthcare continues to lag behind in software security, similar to the BSIMM6 analysis. BSIMM7’s expanded dataset included a greater number of firms with newer software security initiatives and verticals that have less software security experience. These industries consistently showed less maturity than cloud, financial services and independent software verticals.

“We’re proud of the growth of the BSIMM data set as it shows the continued evolution of the market as more organizations understand the need for effective processes to address software security concerns,” said Dr. Gary McGraw, CTO of Cigital. “We’re now seeing even more companies using the BSIMM strategically and inquiring about the latest data. By working with organizations we have firsthand insight into the challenges they’re facing and ways these problems can be solved. In addition, we were able to conduct a second set of interviews with several companies to identify how software security has changed over time.”

Dr. McGraw, along with Jacob West, chief architect at NetSuite, and Sammy Migues, principal at Cigital, analyzed data collected during the past eight years of software security research. Cigital is grateful for the participation of companies including: Adobe, Aetna, ANDA, Autodesk, Axway, Bank of America, Betfair, BMO Financial Group, Black Knight Financial Services, Box, Capital One, Cisco, Citigroup, Citizen’s Bank, Comerica Bank, Cryptography Research, Depository Trust & Clearing Corporation, Elavon, Ellucian, EMC, Epsilon, Experian, F-Secure, Fannie Mae, Fidelity, Horizon Healthcare Services, Inc, HP Fortify, HSBC, iPipeline, JPMorgan Chase & Co., Lenovo, LGE, LinkedIn, Marks and Spencer, McKesson, Morningstar, Navient, NetApp, NetSuite, Neustar, Nokia, NVIDIA, NXP Semiconductors N.V., Principal Financial Group, Qualcomm, Royal Bank of Canada, Siemens, Sony Mobile, Splunk, Symantec, The Advisory Board, The Home Depot, The Vanguard Group, Trainline, U.S. Bank, Visa, Wells Fargo and Zephyr Health.

To download the report, visit


Started in 2008, the Building Security in Maturity Model (BSIMM) is a tool for measuring and evaluating software security initiatives. A data-driven model and measurement tool developed through the careful study and analysis of software security initiatives, BSIMM includes real-world data from over 100 organizations. The BSIMM is an open standard that includes a framework based on software security practices, which an organization can use to assess its own efforts in software security. For more information, visit

About Cigital

Cigital is one of the world’s largest application security firms. We go beyond traditional testing services to help organizations identify, remediate and prevent vulnerabilities in the applications that power their business. Our holistic approach to application security offers a balance of managed services, professional services and products tailored to fit your specific needs. We don’t stop when the test is over. Our experts also provide remediation guidance, program design services, and training that empower you to build and maintain secure applications.

Cigital is headquartered near Washington, D.C. with regional offices throughout North America, Europe, and India. For more information visit:


W2 Communications
Joyson Cherian, 703-877-8104

Release Summary

Cigital announces the release of BSIMM7, the seventh version of the Building Security In Maturity Model.


W2 Communications
Joyson Cherian, 703-877-8104