The cybersecurity landscape is rapidly evolving, and with mainstream adoption of artificial intelligence (AI) and more complex software supply chains, organizations are realizing they must adopt a proactive strategy to attain true cyber resiliency. Recognizing that traditional cybersecurity protocols no longer work against today’s cyber threats is an important first step.
Black Duck’s recent Building Security in Maturity Model (BSIMM) 15 report provides key insights into how organizations are responding to today’s cybersecurity challenges, emerging risks, and the most effective strategies for strengthening security programs. By analyzing the security practices of 121 organizations across multiple industries, BSIMM15 serves as a roadmap of what the biggest threats are to organizations, how to meet compliance requirements, and steps for safeguarding a company’s software ecosystem.
BSIMM15: The State of Software Security
Software security trends continue to evolve in response to the changing cyber threat landscape, and now, organizations have to navigate both the opportunities and risks posed by artificial intelligence (AI) and large language models (LLMs) while also ensuring their security programs are robust.
The evolving complexity of AI-driven systems have created new threats and vulnerabilities that organizations are still working to define and secure. In response, the BSIMM15 report found that there has been a 30% increase in organizations forming dedicated research groups to study emerging threats and develop new defensive strategies. Additionally, the use of adversarial testing (abuse cases) has more than doubled in the last year. It is evident that companies recognize the need to continuously test AI models against potential exploits so they don’t find themselves vulnerable if weaponized by threat actors. While we cannot firmly tie the rise in these BSIMM activities to concerns with AI, it is clear these activities will be keys in addressing the risks.
The report also uncovered that securing the software supply chain was a top priority for organizations, which is largely due to evolving regulatory requirements. Now more than ever, companies are under pressure to ensure transparency and security across the entire software development lifecycle. BSIMM15 found a 67% increase in the use of software composition analysis (SCA) to identify vulnerabilities in open-source components and a 22% rise in the generation of software bills of materials (SBOMs) to provide greater visibility into deployed applications.
However, despite these advancements, security awareness training has seen a decline over the years. In 2008, the BSIMM1 report found that 100% of organizations conducted basic software security training for their teams, yet today, that number has dropped to just 51.2%, marking the lowest participation rate recorded to date. This decline raises concerns about the overall preparedness of organizations to defend against evolving cyber threats. It also illustrated the need for increased investments in security education and awareness initiatives among all company departments.
It is possible that this investment is already happening, and software security training is simply evolving from traditional methods to more just-in-time training. Things like collaboration channels, a walk to the next desk to talk with the local security champion, and the training provided by security testing tools as they describe an issue and its remediation, can provide training that is immediately actionable. This is something we will be exploring more in the next year.
Security Strategies to Mitigating Emerging Threats, AI Risks, and Software Supply Chain Challenges
It is evident that organizations must refine their security strategies to keep pace with emerging threats, regulatory pressures, and evolving software vulnerabilities. Instead of trying to adopt a one-size-fits-all approach, companies must personalize security protocols based on their unique business needs.
As previously mentioned, while AI offers benefits to cybersecurity, it also poses complex security risks. Many organizations are still in the early stages of defining AI-specific attack surfaces and integrating protective measures. In order to stay ahead of these risks, businesses should proactively gather intelligence on AI-related threats, establish secure design patterns for AI models, and ensure that AI security is embedded into existing governance frameworks. Treating AI security as an afterthought could expose businesses to unforeseen vulnerabilities and have detrimental impacts on an organization.
Another critical priority is strengthening software supply chain security. Regulatory requirements, especially for those who develop software for the U.S. government, have created significant changes and challenges in security practices. The BSIMM15 report indicates that in order to mitigate this, there has been a sharp rise in the adoption of software composition analysis (SCA), with a 67% increase in organizations leveraging this approach to identify vulnerabilities in open-source components. Additionally, there has been a 22% increase in the creation of software bills of materials (SBOMs), helping companies provide better transparency into software dependencies. Organizations have also increased their efforts to protect code integrity, reflecting the growing need for enhanced visibility and risk mitigation in the software supply chain.
Lastly, organizations must embrace a “shift everywhere” approach to cybersecurity. In today’s landscape, security must be integrated across legal, audit, risk management, and vendor oversight functions. According to BSIMM15, there has been a 43% increase in event-driven security testing automation highlights a growing shift toward embedding security throughout the entire software development lifecycle (SDLC). Companies that adopt cross-functional security governance are better positioned to proactively manage real-time security threats and compliance requirements, ultimately reducing risk and achieving cyber resiliency.
Looking ahead, s as cyber threats grow in complexity and regulatory expectations continue to evolve, organizations must take a proactive and strategic approach to security. Strengthening defenses against AI-driven threats, securing the software supply chain, reinvesting in security awareness, and integrating security across all business functions are essential steps in building a resilient security program.
