DEVOPSdigest

Organizations must evolve their security strategies to effectively address emerging threats, regulatory requirements, and the continuous evolution of software vulnerabilities. A standardized, one-size-fits-all approach isn't sufficient; instead, companies must develop and implement security protocols that are specifically tailored to their unique business environments and needs.

The recently released BSIMM15, the latest edition of the annual Building Security In Maturity Model (BSIMM) report, does just that. The BSIMM study observes how organizations are addressing real world software security challenges.

The BSIMM15 report contains insights from data collected about the software security practices of 121 organizations, including some of the most advanced companies worldwide across industries like cloud computing, financial services, fintech, healthcare, IoT, and technology.

Here's what we observed over the past year:

Priority: Accounting for Emerging Threats

The software security landscape is ever-evolving in response to the dynamic nature of the cyber threat landscape. As AI adoption becomes more and more mainstream, organizations face the dual challenge of leveraging the opportunities AI presents while simultaneously working to secure against the new risks it may introduce.

The increasing complexity of AI-driven systems has introduced new attack surfaces and vulnerabilities that organizations are actively working to understand and mitigate. According to BSIMM15, there has been a 30% increase in the formation of dedicated research groups focused on studying emerging threats and developing innovative defensive strategies. A promising sign.

Many organizations are still in the nascent stages of defining AI-specific attack surfaces and integrating security mechanisms. To stay ahead of these emerging risks, organizations should proactively gather intelligence on AI-related threats, establish secure design patterns for AI models, and ensure that AI security is seamlessly integrated into existing policies and frameworks. Proactivity is key here — a well-rounded strategy to leverage the potential AI can offer must be accompanied by strategic approaches to counter risks and threats it introduces.

The use of adversarial testing, which involves simulating potential attacks to identify vulnerabilities, has more than doubled over the past year. This trend indicates a growing recognition among companies of the importance of continuously testing AI models to prevent them from being exploited by malicious actors. While it is not yet possible to definitively attribute the rise in these BSIMM activities to AI-specific concerns, it is evident that these practices will play a crucial role in addressing the emerging risks associated with AI.

Priority: Maintaining Focus on the Software Supply Chain

Regulatory requirements are a key driver for organizations in ensuring software supply chain security remains front and center. Organizations are under renewed pressure to ensure transparency and security across the entire software development life cycle.

BSIMM15 reported a 67% increase in the use of software composition analysis (SCA) tooling to identify vulnerabilities in open source components. Additionally, the report found a 22% rise in software bill of materials (SBOMs) generation; thus, providing improved visibility into deployed applications. These key data points illustrate the prioritization or activities supporting compliance for organizations who sell software to the U.S. government.

Diminished Priority: Security Awareness Training

Despite organizations embracing innovation through the lens of AI and acknowledging software supply chain security as a top priority, one stark observation in BSIMM15 was the decline of security awareness training.

In 2008, BSIMM1 found that 100% of organizations assessed conducted at least a basic level of software security training for their teams. As of BSIMM15, that number has dropped to 51.2%. This marks the lowest participation rate ever recorded within the BSIMM study.

The decline does raise a red flag around the preparedness of organizations to defend against the evolving threat landscape. It also illustrates a need for security education and awareness initiatives. However, it is possible that an investment is already being made by organizations, and that this finding is uncovering a shift in methodology — from traditional training methods to just-in-time training infused into other mechanisms such as security testing tools. This is an ongoing exploration we'll continue to examine in the year ahead.

What we can say is that cyber threats will continue to grow in complexity and breadth. Organizations must ensure a proactive approach to software security. Strengthen your defenses in the face of emerging technologies such as AI and the continuously expanding software supply chain. Proactivity is key to security resilience.