Proactive measures and collaboration have never been more critical in addressing cybersecurity's evolving challenges. Organizations today face increasing regulatory pressures, complex software supply chains, and emerging threats fueled by rapid advancements in technology, including artificial intelligence. To navigate these complexities, the cybersecurity community must embrace innovation, transparency, and adaptability in their strategies.
Black Duck's newly released Building Security in Maturity Model (BSIMM) report offers a detailed examination of the current state of software security initiatives (SSIs) and their evolution over the past year. This comprehensive study provides critical insights into how organizations are adapting to regulatory pressures, embracing supply chain transparency, and redefining training methodologies to meet modern security challenges.
With data collected from 121 organizations across diverse industries, BSIMM15 serves as both a benchmarking tool and a strategic guide for improving software security maturity. For the broader cybersecurity community, this report underscores the growing importance of proactive measures, collaboration, and innovation in addressing emerging threats, including those posed by AI and complex software supply chains.
By analyzing long-term trends and providing actionable recommendations, the report equips practitioners, leaders, and organizations with the knowledge needed to navigate today's dynamic threat landscape and regulatory environment.
One of the standout themes of this year's report is the significant influence of regulatory mandates on software security practices. As Jamie Boote, BSIMM15 co-author and Associate Principal Security Consultant at Black Duck, noted:
"Regulations work. Over the past few years, the U.S. Government and European Union have passed or drafted regulations that will require companies to secure the software they sell or use. Activities surrounding software supply chain risk management, such as scanning open-source software and generating Software Bills of Materials (SBOMs), saw a large increase as companies worked to come into compliance with this new and upcoming type of security regulation."
The BSIMM15 data confirms this trend. Activities like creating SBOMs and performing application composition analysis have surged as organizations prepare to meet requirements such as the U.S. Cybersecurity Executive Order (EO 14028) and the European Union's Cybersecurity Resilience Act. These efforts are critical in identifying and mitigating vulnerabilities within the software supply chain.
Experts across the cybersecurity field echoed the importance of software supply chain security. Amit Zimerman, Co-Founder and Chief Product Officer at Oasis Security, emphasized this, saying:
"Organizations should adopt a structured approach to generate and maintain comprehensive SBOMs. Continuous monitoring and updating of SBOMs are crucial to reflect any changes or new additions. Collaboration with vendors is essential to obtain detailed SBOMs for third-party software and firmware, ensuring timely updates and patches."
Michael Skelton, Vice President of Operations and Hacker Success at Bugcrowd, pointed out the risks associated with outdated components in network devices:
"Outdated software components contribute to increased cybersecurity risks by exposing systems to known vulnerabilities. Organizations must maintain up-to-date SBOMs and integrate them into cybersecurity strategies to enhance visibility and risk management."
BSIMM15 also sheds light on a fundamental shift in how organizations approach security training. Traditional methods like slideshow presentations and computer-based training (CBT) are losing effectiveness. Instead, organizations are moving toward on-demand, democratized training through collaborative tools such as Slack or Microsoft Teams. Boote observed:
"Training is changing from a centrally driven program to a more on-demand, democratized sharing of information. We've heard anecdotes about developers responding positively to actionable, on-demand security information, and now we have the data to back it up."
The report highlights a significant increase in activities that provide real-time access to security expertise via collaboration channels. This approach not only aligns with developers' workflows but also fosters a culture of continuous learning.
Patrick Tiquet, Vice President of Security & Architecture at Keeper Security, stressed the importance of ongoing education:
"Ongoing training and education on cybersecurity is essential for all organizations—and this should always encompass leadership. Leaders play a vital role in ensuring timely and relevant information reaches their teams."
The BSIMM15 report also addresses the growing impact of AI on software security. While AI-enabled tools offer opportunities for automation and efficiency, they also present new attack surfaces, such as vulnerabilities like prompt injection.
Amit Zimerman highlighted the skills gap in AI security, saying:
"Organizations need to invest in upskilling their teams through dedicated AI security training programs. These programs should focus on foundational AI security knowledge and emerging threats. Partnering with universities and industry certification bodies can help bridge the gap."
The report introduces a new activity (SR3.5), "create standards controlling and guiding the adoption of new technologies," to address the challenges posed by emerging technologies. This proactive measure helps organizations establish security best practices before industry standards are formalized.
The BSIMM15 report paints a clear picture of the path forward for software security:
Regulations are proving effective in driving systemic improvements.
Organizations must prioritize supply chain transparency and collaboration with vendors.
Training strategies should evolve to integrate real-time, actionable security insights.
Investments in AI security and emerging technology frameworks are crucial for staying ahead of threats.
As Boote succinctly put it:
"Every SSI has room for improvement, whether it's scaling activities, harmonizing objectives, or innovating in response to new challenges. The BSIMM provides a roadmap for organizations to navigate this complex and ever-changing landscape."
By embracing these insights and adapting their approaches, organizations can build robust, forward-looking security programs that meet the demands of today's regulatory and technological environment.
Follow SecureWorld News for more stories related to cybersecurity.