Skip survey header

BSIMM Assessment


Welcome to the automated version of the Building Security In Maturity Model (BSIMM) software security assessment, brought to you by Cigital and the Consumer Technology Association™ (CTA). Please review the article at for more information about the BSIMM.

Use this BSIMM assessment to find out where your product software security initiative (aka software security program, product security program) stands and how it compares with the efforts of others. 
Note: This tool is exclusively for the use of CTA member companies.  While the tool may be run by anyone, actual results are only available to each individual, CTA-member companies.  To check membership, see

IMPORTANT: This assessment assumes your company includes software in your shipping product.  “Software” may be anything from cloud-based web code to hardware embedded firmware, or something in between.  In this assessment, we use the phrase "software security initiative" to mean the firm's overall effort to achieve some software security objectives. We use "software security group" to mean those individuals responsible for the execution of the software security initiative. Of course, there are many ways this may be occurring in your organization, perhaps ranging from a named group responsible for a firm-wide initiative, to a collection of business unit leaders working together, to individual efforts in specific application portfolios. 

You are likely taking this assessment because your firm creates and sells product that includes software. Specifically, the online assessment will gather information about your Software Security Initiative and Secure SDLC (Software Development Life Cycle) that created the specific application in question.

BSIMM consists of 112 activities and has been widely used over the past several years to help companies understand more about the security of software, whether they are developing it or acquiring it from a developer. Every software provider -- whether providing hardware with software, bespoke software, managed applications, cloud services, data processing, anything similar -- should use this tool to determine both whether and how it performs the BSIMM activities. Of course, participating in the BSIMM study would generate superior insight and strategies for improvement.

WHO SHOULD COMPLETE THIS ASSESSMENT? This assessment is best completed by someone with a working knowledge of the software security activities actually being performed in the firm. This is usually the software security group owner.  

HOW IMPORTANT IS THIS ASSESSMENT? This assessment helps you provide an accurate picture of your software security initiative. Inaccurate responses or incomplete data will result in an unrealistic picture of the application's security posture.  

WHAT IS THE CONTEXT FOR THIS ASSESSMENT? This assessment has questions about your firm's software security initiative, software security group, and overall application portfolio. 

WHAT IF I DON'T KNOW EVERY ANSWER? Please consult with colleagues in your firm who can provide the necessary data.

As you continue to the next page and begin the assessment, please remember the following. You must run JavaScript, but will not be required to accept cookies for the survey tool used to do the assessment to work correctly. It's best to proceed to the asessment when you blocks of time to dedicate to its completion. You will be able to leave and re-enter the asessment using the “Save and Continue” link at the top of each page. You will be sent an email with a URL that allows you to re-enter the assessment from the last point that you saved. If you must return to a previous page, use the “Back” button at the bottom; do not use the browser's Back button. Clicking “Submit” on the last page will submit the results and you will not have an opportunity to amend your answers.