Synopsys Releases BSIMM9 Study Highlighting Impact of Cloud Transformation and Growth of Software Security Community
Latest Iteration of the Building Security In Maturity Model Reflects Software Security Initiatives of 120 Firms Over the Past Decade

MOUNTAIN VIEW, Calif., Oct. 2, 2018 /PRNewswire/ -- Synopsys, Inc. (Nasdaq: SNPS) today released BSIMM9, the latest version of the Building Security In Maturity Model (BSIMM) designed to help organizations plan, execute, and measure their software security initiatives (SSIs). The ninth iteration of BSIMM reflects data collected over a 10-year study of real-world SSIs across 120 firms. BSIMM9 highlights the impact of cloud transformation, the emergence of a new vertical industry—retail—represented in the data pool, and the growth of the software security community. To download the report, visit

"Development, security, and operations teams need to align, and BSIMM9 provides data suggesting this is taking place through automation, particularly as software shifts to the cloud," said Dr. Brian Chess, senior vice president of infrastructure and security for NetSuite at Oracle. "This is a huge move in the right direction: greater velocity and better security at the same time."

BSIMM9 describes the work of more than 7,800 software security professionals whose work guides and maximizes the security efforts of 415,000 developers across approximately 135,000 applications. BSIMM9 firms represent industry verticals including financial services, independent software vendors (ISVs), cloud, healthcare, Internet of Things (IoT), insurance, and retail.

Key findings from the BSIMM9 study:

  • Cloud transformation: Firms are moving their workloads and development pipelines to the cloud—a paradigm shift that requires different approaches to software security. Three new activities directly or indirectly related to cloud transformation were observed and added to the BSIMM. Furthermore, activities observed among independent software vendors, IoT companies, and cloud firms (three of the most prominent verticals) have begun to converge, suggesting that common cloud architectures require similar software security approaches.
  • BSIMM across verticals: The BSIMM can be used to compare SSIs within and between verticals. A new vertical industry—retail—emerged in the BSIMM9 data. SSIs in retail are maturing relatively quickly as new models focused on e-commerce become critical to sustaining a healthy business. The retail vertical is already more mature in security than healthcare and insurance.
  • Population growth: BSIMM9 includes data collected from 120 firms, up from 109 firms in BSIMM8. The number of software security practitioners it measures grew by 65 percent, and the number of developers included grew by 43 percent. This notable growth in the BSIMM population indicates that software security is a growing priority.

"The BSIMM project has become a de facto standard for assessing and improving software security initiatives," said Dr. Gary McGraw, vice president of security technology at Synopsys. "By measuring your firm with the BSIMM measuring stick, you can directly compare and contrast your security approach to some of the most mature firms in the world. BSIMM9 is the culmination of a decade of objective, observation-based work in the field, and it incorporates the largest set of data collected about software security anywhere."

The BSIMM includes data collected from firms that have established real SSIs, quantifying the occurrence of 116 activities to show the common ground shared by many initiatives as well as the variations that make each initiative unique. The BSIMM data shows that high-maturity initiatives are well-rounded, carrying out numerous activities in all 12 of the practices described by the model. Organizations can use the BSIMM to compare initiatives and determine which additional activities might be useful to support their overall strategies.


Dr. McGraw, along with Sammy Migues, principal scientist at Synopsys, and Jacob West, vice president of cloud operations for NetSuite at Oracle, analyzed data collected over the past 10 years of software security research. Some of the companies participating in the assessments include Adobe, The Advisory Board Company, Aetna, Alibaba Group, Amgen, Anda, Autodesk, Axway, Bank of America, Betfair, BMO Financial Group, Black Duck Software, Black Knight, Box, Canadian Imperial Bank of Commerce, Capital One, City National Bank, Cisco, Citigroup, Citizens Bank, Comerica Bank, Cryptography Research (a division of Rambus), Dahua, Depository Trust & Clearing Corporation, Ellucian, Experian, F-Secure, Fannie Mae, Fidelity, Freddie Mac, General Electric, Genetec, Global Payments, Highmark Health, The Home Depot, Horizon Healthcare Services, HSBC, Independent Health, iPipeline, Johnson & Johnson, JPMorgan Chase, Lenovo, LGE, McKesson, Medtronic, Morningstar, Navient, NCR, NetApp, News Corp, Nvidia, NXP Semiconductors, PayPal, Principal Financial Group, Qualcomm, Royal Bank of Canada, Scientific Games, Sony Mobile, Splunk, Synopsys, Target, TD Ameritrade, Trainline, Trane, U.S. Bank, The Vanguard Group, Veritas, Verizon, Wells Fargo, Zendesk, and Zephyr Health.

About the BSIMM

Started in 2008, the Building Security In Maturity Model (BSIMM) is a tool for measuring and evaluating software security initiatives. A data-driven model and measurement tool developed through the careful study and analysis of software security initiatives, the BSIMM includes real-world data from more than 100 organizations. The BSIMM is an open standard that includes a framework based on software security practices, which an organization can use to assess its own efforts in software security. For more information, visit

About the Synopsys Software Integrity Platform

Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle. Learn more at

About Synopsys

Synopsys, Inc. (Nasdaq: SNPS) is the Silicon to Software partner for innovative companies developing the electronic products and software applications we rely on every day. As the world's 15th largest software company, Synopsys has a long history of being a global leader in electronic design automation (EDA) and semiconductor IP and is also growing its leadership in software security and quality solutions. Whether you're a system-on-chip (SoC) designer creating advanced semiconductors, or a software developer writing applications that require the highest security and quality, Synopsys has the solutions needed to deliver innovative, high-quality, secure products. Learn more at

Editorial Contacts:

Mark Van Elderen
Synopsys, Inc.

Simone Souza 
Synopsys, Inc.


SOURCE Synopsys, Inc.