Short for Building Security In Maturity Model, BSIMM is a research project documenting the actual secure development practices used at large companies like Adobe, Bank of America, Capital One, EMC, Google, Intel, Microsoft, Symantec, VMware, and Wells Fargo. BSIMM researchers watch developers and track each time they observe one of 109 different activities, such as getting upper management buy-in or using code signing. The project then plots those activities on a spider graph.
Companies can now download the BSIMM2 model for free and use it to measure their own development activities. By plotting their activities versus the averages, they can then see how their software security efforts stack up.