-
The number of organizations conducting adversarial tests (abuse cases) has doubled year-over-year.
-
The number of organizations performing software composition analysis (SCA) on code repositories has increased by 67%.
-
The number of organizations employing research groups to develop new attack methods has grown by 30%.
-
The number of organizations generating software bills of materials (SBOMs) for deployed software has risen by 22%.
Black Duck Software, Inc. (“Black Duck”), a leading provider of application security solutions, today released BSIMM15, the latest edition of its annual Building Security In Maturity Model (BSIMM) report. The report highlights how organizations are addressing software security challenges, including securing complex software supply chains and emerging technologies such as artificial intelligence (AI).
Also Read: TrueData Introduces Low-Latency Identity API That Fits Into Any Data Workflow
BSIMM15 analyzes the software security practices of 121 organizations, including some of the most advanced companies worldwide across industries like cloud computing, financial services, fintech, healthcare, IoT, and technology. Collectively, the BSIMM data pool represents the work of 11,100 security professionals supporting 270,000 developers and securing 96,000 applications.
“Over the past year, AI has gone mainstream across organizations of all sizes, bringing both opportunities and new risks,” said Jason Schmitt, CEO of Black Duck. “Prioritizing security in the face of emerging technologies—especially rapidly evolving fields like AI—has never been more critical or challenging. BSIMM15 offers valuable insights into how organizations are navigating these hurdles and can serve as a guide for others looking to innovate securely and build trust in their software.”
The BSIMM15 study reveals several key trends and insights, including:
- Secure Innovation: As organizations grapple with the opportunities and risks of AI and machine learning (ML), many are struggling to define and secure this new, evolving attack surface. A key trend observed is a ~30% increase in organizations engaging research groups to develop new attack methods. Additionally, the use of adversarial tests (abuse cases) has more than doubled since the previous report (BSIMM14).
- Software Supply Chain Security: With self-attestation requirements for selling software to the U.S. government, organizations are increasingly prioritizing activities that support compliance. For example, there has been a 22% rise in the number of organizations creating SBOMs for deployed software, and a 67% increase in organizations performing software composition analysis (SCA) on code repositories.
- Declining Security Awareness Training: In 2008, 100% of organizations in BSIMM1 conducted software security awareness training. However, this rate has steadily declined, and in BSIMM15, only 51.2% of organizations are still providing basic security training to their teams, marking the lowest rate observed to date.
Also Read: Protecting APIs at the Edge
Established in 2008, BSIMM is a maturity model that tracks the activities of software security professionals. It helps organizations plan, execute, and measure their software security initiatives. BSIMM data is collected through comprehensive interviews conducted during assessments by security professionals, after which the anonymized data is analyzed to identify trends in software security practices.
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
