BSIMM15: New focus on securing AI and the software supply chain

How security is changing

The annual BSIMM report reflects trends in software security that are responses to the evolution of cybercrime. This year has been defined by organizations adjusting to the opportunities and challenges posed by AI and large language models (LLMs) while also building software security programs that are in compliance with government mandates. Companies that provide DevSecOps platforms, cloud solutions, and security tooling are rising to challenges from the marketplace and attackers to make it easier for developers to automate security tests and practices.

The demands of AI, the cloud, toolchains, adjacent functions to application security, and government scrutiny are leading to a vastly increased scope in software security programs, which in turn is necessitating a new era of shared responsibility between software security groups and engineering. Future security efforts will be heavily influenced by the continuing impact of government regulations on software products and the maturity of AI that will enable new use cases.

Three BSIMM15 software security trends

Regulatory pressures to secure the software supply chain

With self-attestation requirements for selling software to the U.S. government, organizations are increasingly prioritizing activities that support compliance. This year saw a 22% increase in the number of organizations creating SBOMs for deployed software, and a 67% increase in the number of organizations performing SCA on code repositories.

BSIMM participants are also protecting the code they publish to improve regulatory compliance. The security activity “protect code integrity” increased by roughly 20% from BSIMM14 to BSIMM15, and “use code protection” increased by about 45%. Participants are feeling pressure to implement incident response functionality that can handle vulnerability reports and security bulletins, as shown in the roughly 25% increase in “streamline incoming responsible vulnerability disclosure” activities.

BSIMM15 also introduced a new activity, “protect the integrity of development endpoints,” to measure how participants are securing workstations that access various servers and services of the toolchain. And as the Cyber Resilience Act moves through the European Union regulatory process, BSIMM will watch to see if mandated design review and security requirement-based activities increase in response.

Securing AI and new technologies

As the use of artificial intelligence continued to proliferate in software development over the last year, organizations are struggling with securing it. Most BSIMM participants have yet to define the new attack surface created by AI, let alone understand how to secure it. A key trend in BSIMM15 is a roughly 30% increase in organizations engaging research groups to develop new attack methods. The use of adversarial tests (abuse cases) has also increased, more than doubling since BSIMM14.

For the first time, the BSIMM15 report includes a section on artificial intelligence/machine learning that explains the activities around proactively planning to mitigate the impact of new technologies on security. A new BSIMM activity, “create standards controlling and guiding the adoption of new technologies,” is geared toward companies looking to take advantage of innovations like AI that are on the cutting edge of technology.

Additionally, there are five existing BSIMM activities that can help organizations address AI security.

• Gather and use attack intelligence
• Create technology-specific attack patterns
• Form a board to approve and maintain secure design patterns
• Integrate software supply chain risk management
• Make code review mandatory for all projects

Throughout 2025, BSIMM will continue to measure how companies are securing AI and other emerging technologies.

The evolution of shift everywhere

“Shift everywhere” is an approach to governing the software development life cycle (SDLC) that acknowledges the reality that consistently achieving acceptable levels of software risk is a shared responsibility that includes legal, audit, risk, governance, IT, cloud, technology, vendor management, and others. A shift everywhere approach begins by asking how these roles get the information they need, when they need it, and the processes they normally use.

The core tenets of shift everywhere lie in taking advantage of automation to put data collection and decisions as close to the software development process as required. The BSIMM activity “integrate software-defined life cycle governance” was introduced five years ago and has shown steady growth each year. In BSIMM15, it has grown nearly 48%.

Deciding when a test is required in the SDLC is essential to ensuring that software is evaluated for risk at the most appropriate time. As a result, BSIMM15 saw a 43% increase in implementing event-driven security testing in automation, allowing organizations to automate security decisions and governance in real time.