BSIMM15: New Focus on Securing AI and the Software Supply Chain
As the U.S. government’s self-attestation requirements for software vendors become more stringent, organizations are increasingly prioritizing compliance-supporting activities. This shift is evident in the BSIMM15 findings, which show a 22% rise in organizations creating Software Bills of Materials (SBOMs) for their deployed software and a striking 67% surge in groups performing Software Composition Analysis (SCA) on code repositories.
BSIMM participants are significantly enhancing the protection of the code they publish to improve regulatory compliance. The activity of “protect code integrity” has increased by roughly 20% from BSIMM14 to BSIMM15. Furthermore, the use of “code protection” has seen a substantial 45% rise. This trend indicates that participants are increasingly recognizing the importance of implementing robust incident response capabilities to manage vulnerability reports and security bulletins, as demonstrated by a 25% increase in “streamline incoming responsible vulnerability disclosure” activities.
Introducing the new activity, “protect the integrity of development endpoints,” BSIMM15 aims to assess how participants secure workstations accessing various servers and services within the toolchain. This addition is timely as the Cyber Resilience Act navigates the European Union regulatory framework, prompting BSIMM to monitor whether design review mandates and security requirement-based activities see an uptick in response.
With the burgeoning incorporation of artificial intelligence in software development, organizations face challenges in securing this new frontier. Most BSIMM participants have yet to chart the new attack surface AI introduces, let alone devise security measures for it. A notable trend in BSIMM15 is the 30% increase in organizations involving research groups to explore new attack methodologies. The application of adversarial tests, such as abuse cases, has also more than doubled since BSIMM14.
Marking a significant development, the BSIMM15 report now includes a section on artificial intelligence and machine learning, detailing activities focused on proactively planning to mitigate the impact of emerging technologies on security. A new BSIMM activity, “create standards controlling and guiding the adoption of new technologies,” caters to companies eager to leverage frontier innovations like AI.
Additionally, five existing BSIMM activities offer solutions to address AI security challenges, helping organizations navigate this complex landscape. Throughout 2025, BSIMM will continue measuring strategies companies implement to secure AI and other emerging technologies.
The “shift everywhere” philosophy offers a nuanced approach to governing the Software Development Life Cycle (SDLC), recognizing that achieving acceptable levels of software risk is a collective responsibility. This approach encompasses legal, audit, risk, governance, IT, cloud, technology, vendor management, and more. “Shift everywhere” begins by questioning how these roles access necessary information and adhere to established processes just when it is crucial.
The core principles of “shift everywhere” involve leveraging automation to ensure data collection and decision-making occur as close to the software development process as needed. Since its introduction five years ago, the BSIMM activity “integrate software-defined life cycle governance” has demonstrated consistent annual growth, culminating in a nearly 48% increase in BSIMM15.
Determining the appropriate timing for testing within the SDLC is crucial to evaluate software risks effectively. Reflecting this priority, BSIMM15 observed a remarkable 43% increase in the implementation of event-driven security testing automation, empowering organizations to make immediate security decisions and govern effectively in real time.
As organizations navigate the intricate landscape of regulatory compliance and emerging technologies, the insights from BSIMM15 serve as a beacon for enhancing security measures and ensuring resilient software development practices. By focusing on securing AI and the software supply chain, BSIMM15 emphasizes the evolving nature of threats and the necessity to adapt proactively.
