Three BSIMM15 software security trends

Regulatory pressures to secure the software supply chain

With self-attestation requirements for selling software to the U.S. government, organizations are increasingly prioritizing activities that support compliance. This year saw a 22% increase in the number of organizations creating SBOMs for deployed software, and a 67% increase in the number of organizations performing SCA on code repositories.

BSIMM participants are also protecting the code they publish to improve regulatory compliance. The security activity “protect code integrity” increased by roughly 20% from BSIMM14 to BSIMM15, and “use code protection” increased by about 45%. Participants are feeling pressure to implement incident response functionality that can handle vulnerability reports and security bulletins, as shown in the roughly 25% increase in “streamline incoming responsible vulnerability disclosure” activities.

BSIMM15 also introduced a new activity, “protect the integrity of development endpoints,” to measure how participants are securing workstations that access various servers and services of the toolchain. And as the Cyber Resilience Act moves through the European Union regulatory process, BSIMM will watch to see if mandated design review and security requirement-based activities increase in response.

Securing AI and new technologies

As the use of artificial intelligence continued to proliferate in software development over the last year, organizations are struggling with securing it. Most BSIMM participants have yet to define the new attack surface created by AI, let alone understand how to secure it. A key trend in BSIMM15 is a roughly 30% increase in organizations engaging research groups to develop new attack methods. The use of adversarial tests (abuse cases) has also increased, more than doubling since BSIMM14.

For the first time, the BSIMM15 report includes a section on artificial intelligence/machine learning that explains the activities around proactively planning to mitigate the impact of new technologies on security. A new BSIMM activity, “create standards controlling and guiding the adoption of new technologies,” is geared toward companies looking to take advantage of innovations like AI that are on the cutting edge of technology.

Additionally, there are five existing BSIMM activities that can help organizations address AI security.

• Gather and use attack intelligence
• Create technology-specific attack patterns
• Form a board to approve and maintain secure design patterns
• Integrate software supply chain risk management
• Make code review mandatory for all projects

Throughout 2025, BSIMM will continue to measure how companies are securing AI and other emerging technologies.

The evolution of shift everywhere

“Shift everywhere” is an approach to governing the software development life cycle (SDLC) that acknowledges the reality that consistently achieving acceptable levels of software risk is a shared responsibility that includes legal, audit, risk, governance, IT, cloud, technology, vendor management, and others. A shift everywhere approach begins by asking how these roles get the information they need, when they need it, and the processes they normally use.

The core tenets of shift everywhere lie in taking advantage of automation to put data collection and decisions as close to the software development process as required. The BSIMM activity “integrate software-defined life cycle governance” was introduced five years ago and has shown steady growth each year. In BSIMM15, it has grown nearly 48%.

Deciding when a test is required in the SDLC is essential to ensuring that software is evaluated for risk at the most appropriate time. As a result, BSIMM15 saw a 43% increase in implementing event-driven security testing in automation, allowing organizations to automate security decisions and governance in real time.