Organizations are increasingly prioritizing compliance due to recent regulatory requirements, such as those from the US Government regarding the sale of software to the US government and the EU’s Digital Operational Resilience Act (DORA).
This was one of the findings of the Black Duck “Building Security in Maturity Model” (BSIMM) report, which garnered insights from 121 organizations across eight industries on effective security practices, emerging risks, and evolving threat landscapes.
The report examines current successes and failures in software security and considers how organizations adapt their strategies to tackle traditional security challenges and emerging threats. Key takeaways from this year’s report include successful security champions, organizations increasingly prioritizing activities that support compliance, and the doubling of adversarial tests (abuse cases) since BSIMM14.
The report also found that the creation of Software Bills of Materials (SBOMs) has risen by 22%, and Software Composition Analysis (SCA) on code repositories has increased by 67%.
Companies are strengthening their software supply chain risk management programs and improving vendor relationships to enhance security. A crucial aspect of managing software-related risks is understanding the components within a system, which is where SBOMs come into play. However, despite their advantages, organizations still face challenges regarding the quality of SBOMs and the decision-making processes based on vendor-provided SBOMs.
AI & Automation
This year’s report saw a 30% increase in organizations engaging research groups to develop new attack methods. At the same time, the use of adversarial tests (abuse cases) was found to have more than doubled since BSIMM14.
Jason Schmitt, CEO of Black Duck, has commented on the findings: “Prioritising security in the face of emerging technologies—especially rapidly evolving fields like AI—has never been more critical or challenging. BSIMM15 offers valuable insights into how organizations are navigating these hurdles and can serve as a guide for others looking to innovate securely and build trust in their software.”
We are the Champions
The BSIMM15 report identifies ‘Champions’ as a key piece of terminology from the outset. The term is defined in the report as ‘A group of interested and engaged developers, cloud security engineers, deployment engineers, architects, software managers, testers, or people in similar roles who have an active interest in software security and contribute to the security posture of the organization and its software.’
The report identified a strong correlation when grouping surveyed organizations into 3 categories based on their scoring system, considering effective security practices, emerging risks, and evolving threat landscapes. These categories were broken down into the bottom 20%, the middle 60%, and the top 20%. It found that 92% of the top-scoring firms in the BSIMM15 data pool have security champions, whereas fewer than 35% of the bottom-scoring firms have one. It also identified that 90% of firms in the highest-scoring group have a champions program, compared to 32% in the lowest-scoring group.
Takeaways
The key takeaways from the report can be connected to identify a discernible pattern. Organizations increasingly prioritize compliance to adhere to new regulations and not be left behind in the marketplace by customers who now expect this as a new standard. Comprehensive SBOMs seem to be the preferred investment for achieving this. AI is still a massive industry issue, and a 30% increase in businesses engaging research groups shows us that companies are seeking to automate wherever possible, and they know spending now will most likely save them money in the long term.
Finally, Champions have a strong link with success, and they will shout about your good work. If you don’t have any – implement some at scale, and as you grow, implement a champions program. As the report states, ‘A strong security champions program enables an SSI to scale people-driven activities, tune automated activities, and prioritize remediation tracking activities within an organization.’
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.