BSIMM15 highlights include a 100% increase in adversarial testing, 67% growth in software composition analysis, 30% more research on attack methods, and a 22% rise in generating software bills of materials (SBOMs).

Black Duck Software, Inc., a leading provider of application security solutions, released BSIMM15, the latest edition of its annual Building Security In Maturity Model (BSIMM) report. The report highlights how organizations are addressing software security challenges, including securing complex software supply chains and emerging technologies such as artificial intelligence (AI).

BSIMM15 analyzes the software security practices of 121 organizations, including some of the most advanced companies worldwide across industries like cloud computing, financial services, fintech, healthcare, IoT, and technology. Collectively, the BSIMM data pool represents the work of 11,100 security professionals supporting 270,000 developers and securing 96,000 applications.

“Over the past year, AI has gone mainstream across organizations of all sizes, bringing both opportunities and new risks,” said Jason Schmitt, CEO of Black Duck. “Prioritizing security in the face of emerging technologies—especially rapidly evolving fields like AI—has never been more critical or challenging. BSIMM15 offers valuable insights into how organizations are navigating these hurdles and can serve as a guide for others looking to innovate securely and build trust in their software.”

AI Technology Insights: Red Hat Acquires Neural Magic to Drive Optimized GenAI in Hybrid Cloud

The BSIMM15 study reveals several key trends and insights, including:

  • Secure Innovation: As organizations grapple with the opportunities and risks of AI and machine learning (ML), many are struggling to define and secure this new, evolving attack surface. A key trend observed is a ~30% increase in organizations engaging research groups to develop new attack methods. Additionally, the use of adversarial tests (abuse cases) has more than doubled since the previous report (BSIMM14).
  • Software Supply Chain Security: With self-attestation requirements for selling software to the U.S. government, organizations are increasingly prioritizing activities that support compliance. For example, there has been a 22% rise in the number of organizations creating SBOMs for deployed software, and a 67% increase in organizations performing software composition analysis (SCA) on code repositories.
  • Declining Security Awareness Training: In 2008, 100% of organizations in BSIMM1 conducted software security awareness training. However, this rate has steadily declined, and in BSIMM15, only 51.2% of organizations are still providing basic security training to their teams, marking the lowest rate observed to date.

Established in 2008, BSIMM is a maturity model that tracks the activities of software security professionals. It helps organizations plan, execute, and measure their software security initiatives. BSIMM data is collected through comprehensive interviews conducted during assessments by security professionals, after which the anonymized data is analyzed to identify trends in software security practices.

AI Technology Insights: Mercedes-Benz and Google Partner on AI-powered Search in Navigation Systems

Acknowledgements

Black Duck would like to thank Jamie BooteBen HutchisonMike LymanSammy Migues, and Sam Schueller, authors of the BSIMM15, as well as special guest authors, Tim Mackey and David Benas. Additional thanks to the nearly 165 individuals who helped gather the data for the BSIMM data pool, along with the 121 executives from the SSIs we studied to create BSIMM15.

Some of the companies participating in the BSIMM study include AARP, Aetna, Airoha, AON, Arlo, Axway, Bank of America, Bell Network, CIBC, Citi, Diebold Nixdorf, Egis Technology, Eli Lilly and Company, EQ Bank, Fidelity, Finastra, Genetec, HCA Healthcare, Honeywell, HUMAN Security, Imperva, Inspur Software Intralinks, iPipeline, Johnson & Johnson, Landis+Gyr, Lenovo, MassMutual, MediaTek, Medtronic, MiTAC, Navient, Navy Federal Credit Union, NetApp, Oppo, Pegasystems, QlikTech International AB, Realtek, Reckitt, Sammons Financial, ServiceNow, Signify, SonicWall, Synchrony Financial, TD Ameritrade, Teradata, U.S. Bank, Unisoc, Vanguard, Veritas, Vivo, and ZoomInfo.

AI Technology Insights: AudioCodes Unveils AI-First Intelligent Meeting Room

To participate in our interviews, please write to our CyberTech Media Room at news@intentamplify.com