An increase in compliance activities such as creating software bills of materials (SBOMs), performing software composition analysis (SCA) scans on code repositories, and securing the attack surface created by artificial intelligence applications is among the key software security trends highlighted in the latest edition of the report from the creators of the Building Security in Maturity Model (BSIMM).
The annual BSIMM report, first introduced in 2008, analyzes the software security practices of organizations across eight verticals. It contains information on what’s working, what isn’t, what’s changing about the threat landscape — and how organizations are responding to those challenges. By comparing and contrasting their initiatives to what other organizations are doing, organizations can use the report as a measuring stick for software security.
Participants in the latest report, BSIMM15, included more than 120 companies — among them AARP, Aetna, Bank of America, Diebold Nixdorf, Eli Lilly, Fidelity, Honeywell, Johnson & Johnson, Lenovo, MassMutual, Navy Federal Credit Union, SonicWall, Synchrony Financial, TD Ameritrade, Vanguard, and ZoomInfo — as well as 11,100 security professionals who collectively help 270,000 developers working on 96,000 applications.
But while legacy application security practices are good for general blocking of traditional software threats, they are no match for modern attacks coming from the software supply chain or using AI/ML. Here are key takeaways from the BSIMM15 report — and why you need to go well beyond traditional AppSec practices to manage modern software risk.
[ Get our Essential Guide: Software Supply Chain Security for Dummies ]
A real-world look into today's software threats and practices
Key trends and insights in BSIMM15 include these three:
1. Organizations are grappling with AI and ML. The opportunities and risks of AI and machine learning are paramount for organizations. Key is the rise of AI-developed code with tools such as GitHub's Copilot.
The BSIMM15 report noted:
"When we talk to clients about what they’re trying to do and the problems they have doing it, we see a wide variety of pain points, but in general, the problem that everybody is struggling with is uncertainty. There isn’t a lot of well-understood guidance out there, so they’re having to find the answers themselves. That uncertainty appears to be contributing to the formation of research groups to develop new attack methods — which increased 30% from BSIMM14 — and a doubling of the use of adversarial tests."
2. Organizations are getting on board with compliance. Nudged by the self-attestation requirements for selling software to the U.S. government, organizations are prioritizing activities that support compliance and software supply chain security, such as creating SBOMs and performing SCA on code repositories. Organizations creating SBOMs for deployed software increased 22% over BSIMM14, while those performing SCA on repos jumped 67%.
3. Security-awareness training is underutilized. Only 51.2% of the companies in BSIMM15 are providing basic security training to their teams.
The struggle with AI is twofold
ReversingLabs chief trust officer Saša Zdjelar said the rise of AI, both on the business side and in software development, has left organizations flat-footed. Businesses are pushing for faster and faster adoption of generative AI without sufficient governance on how to manage it safely.
“I think one of the biggest problems is most companies don't even fully know where AI is being used. They’re struggling to wrap their arms around how much of other people's AI they're already using. And when they build their own, they want to know which large language model is OK. ... How do you make it not just secure, but also actually safe, so it's not providing inappropriate answers that damage the brand and reputation of your company?”
—Saša Zdjelar
And software supply chain risks are also being created by AI and ML implementations used to develop software, said Mike Lyman, one of the authors of the report and an associate principal consultant with Black Duck Software, BSIMM's sponsor. “We don't necessarily know where all that code is coming from,” he said. "It may introduce risk like open-source licensing risks. It may suggest using a code snippet that comes out of an open-source library with a copyleft license that requires you to release your code. So we've got to recognize that type of stuff."
Lyman noted that a lot of flawed code that was written by humans is now being repurposed by ML and therefore AppSec teams need to focus on code reviews for everything.
“A lot of people don't realize that AI is learning to write code by looking at code we wrote. We've never written perfect code, so AI is going to be making the same mistakes that we make in our code.”
—Mike Lyman
Software supply chain risk and shift everywhere
Jason Soroko, a senior fellow at Sectigo, said the rise in use of SCA and SBOMs is a sign of growing interest in software supply chain security.
“It indicates a growing appetite for systemic transparency and compliance. Organizations are finally acting on the idea that you can’t defend what you don’t understand.”
However, Soroko warned, it remains to be seen whether these incremental improvements "risk being undone if core security knowledge and security culture decreases,” another trend noted in the report.
RL's Zdjelar said he welcomed BSIMM15's focus on software supply chain risk but organizations need to shift everywhere — across their entire software stacks — to manage risk across organizations.
“[BSIMM15] mentions software supply chain risk, but it's only in areas like software bill of materials and open source, not really around how software supply chain risks get introduced into companies by way of commercial software. If you think about how supply chain breaches have happened over the last six or seven years, all the breaches have been from commercial software packages, not open source."
—Saša Zdjelar
The decline in training programs is worrying
BSIMM15 confirms a decline in security-awareness training that has been tracked since BSIMM1, BlackDuck's Lyman said. "BSIMM1 started with 100%, but there were only nine software security leaders in that first study," he said.
When more companies were added to the survey, the rate began to decline, he said. "It's been on a slow, steady decline since BSIMM2, from about 80% to a low now of 51% doing basic software security-awareness training"
"We think a lot of that's driven by budgets and also a been-there-done-that attitude. Companies have a software security training program and feel they don't have to revisit it. It falls out being a priority. And as most of us know, if it's not a priority, it tends to decay over time. So we think a lot of that's been what's in play."
—Mike Lyman
Another thing playing into the decline is that a lot of companies mistake their annual general security-awareness training for software security training. "Knowing how to avoid a phishing email, not clicking on suspicious links, and how to avoid malware, is very important, but it doesn't really tell you how to write secure code," he said.
Zdjelar said that there seems to be a decline in formal education when it comes to the right way to develop code, as well as a reliance on tools to do the work for you.
"I think it's a very, very dangerous precedent because the tooling is also built by humans, humans who make mistakes in what is good, secure software. So I think it's a very, very bad practice to trend away from developer education and have overreliance on tooling."
—Saša Zdjelar
What's needed for modern software supply chain security
While the BSIMM data from real-life organizations is significant, Caroline Wong, director of cybersecurity at Teradata, said the survey's findings are not representative of the mainstream.
“I think of it as the top 25% or so of existing software security initiatives that are included in the BSIMM study. These are organizations who take software security seriously and are on the cutting edge of innovation and maturity in this area.”
—Caroline Wong
Wong said the fact that BSIMM remains a descriptive and not a prescriptive model is meaningful. “These activities have not simply been identified as a good idea by a smart person, but rather a valuable enough idea that it passes ROI evaluations at an organization and has enough resource allocation to be considered active and operational,” she said
Zdjelar said the problem with BSIMM is that it is not forward-looking. He would like to see the next edition of BSIMM include more emphasis on software supply chain security risks posed by commercial software. And that means having the right tools for the job.
Traditional tooling such as SCA and static and dynamic application security testing (SAST and DAST) are not capable of identifying modern threats, he said.
"Right now, BSIMM mentions traditional legacy things like static code analysis and dynamic scanning. But they're missing what the most advanced companies are doing to manage their risk, which is binary analysis."
—Saša Zdjelar
Zdjelar explained that binary analysis can flag supply chain threats that traditional AST tools can't find.
"SAST, DAST, and SCA tools are not designed to find the presence of malware or presence of tampering or the fact that your CI/CD pipeline might have been compromised. That's not what they look for."
