The recently released BSIMM15 report from Black Duck has shed light on the increasing efforts by organisations worldwide to address emerging security risks in artificial intelligence (AI) and software supply chains. The report, which analyzed software security practices across 121 companies, revealed a noticeable uptick in activities aimed at fortifying defenses against evolving threats.
One of the key takeaways from the BSIMM15 report is the significant shifts in how organisations are approaching software security. For instance, the number of companies conducting adversarial testing, such as abuse case scenarios, has doubled compared to the previous year. This indicates a heightened focus on identifying vulnerabilities and weaknesses in software products.
Moreover, there has been a surge of 67% in the adoption of software composition analysis (SCA) on code repositories, reflecting a growing emphasis on supply chain security. With cyber threats becoming more sophisticated, organisations are recognizing the importance of vetting third-party components for potential security risks.
Another noteworthy finding from the report is the 30% increase in organisations employing research groups to explore new attack methods. This underscores the rising complexity of security challenges faced by companies in today’s digital landscape.
In addition, the report highlights that software bills of materials (SBOMs) have become a critical tool for compliance and transparency. Twenty-two percent more organisations are now generating SBOMs for deployed software, signaling a shift towards greater accountability and oversight in the software development process.
According to Jason Schmitt, CEO of Black Duck, the proliferation of AI technologies poses both opportunities and risks for organisations of all sizes. Prioritizing security in the face of emerging technologies like AI is crucial but challenging. The BSIMM15 report offers valuable insights into how organisations are navigating these challenges and can serve as a roadmap for others looking to innovate securely and instill trust in their software products.
The BSIMM15 study encompasses data from various industries, including cloud computing, financial services, healthcare, IoT, and technology. It represents the collective efforts of 11,100 security professionals supporting 270,000 developers and securing 96,000 applications.
Supply chain security has emerged as a focal point for organisations, especially in response to U.S. government requirements for software self-attestation. The BSIMM15 data reveals a notable increase in activities supporting compliance, such as the heightened use of SCA tools and SBOMs. These measures are essential for ensuring transparency and security in today’s intricate software ecosystems.
However, amidst the progress in AI and supply chain security, the report highlights a concerning decline in security awareness training. Only 51.2% of organisations now offer basic training, the lowest rate observed since the inception of the BSIMM initiative in 2008.
The Building Security In Maturity Model (BSIMM) has been tracking the evolution of software security practices since 2008. Through comprehensive interviews and assessments, BSIMM collects and analyzes anonymized data to identify key trends and guide organisations in planning, executing, and measuring their software security initiatives.
In conclusion, as AI continues to reshape the digital landscape and supply chain threats grow more sophisticated, the BSIMM15 report offers a detailed look at how leading companies are proactively addressing these challenges. It serves as a valuable resource for organisations striving to stay ahead of the curve in an ever-evolving cybersecurity landscape.