Mainly it's all about isolation of secret keys to prevent unauthorized use.
I think the better general term to be used is crypto token like used in PKCS#11 specification.
There are several ways to protect secret keys, ranging from file ownership / permissions and/or key passphrases on the low-end to tamper-proof hardware which automatically deletes the stored keys in case someone is attacking the device with a drilling machine.
Real tamper-proof hardware is pretty expensive and therefore one cannot give a good recommendation without knowing your security requirements and budget.
Taking your term "HSM software" literally I'd recommend to have a look at software implementing PKCS#11 proxy functionality. This allows you to store secret keys on different commodity hardware running with standard OS and then use the key remotely over network. It gives better protection than storing and using secret keys on the same system but is not as secure as real HSMs.