A new report out today from Black Duck Software Inc. sheds light on how companies are evolving their software security practices to address modern challenges.

Black Duck Software was previously part of Synopsys Inc. and known as the Synopsys Software Integrity Group, before it was acquired in May and changed its name in October.

The annual Building Security In Maturity Model report from Black Duck highlights trends in securing complex software supply chains and the emerging risks associated with artificial intelligence. This year’s findings emphasize a need for increased adversarial testing and the growing adoption of software bills of materials, or SBOMs.

Starting with adversarial testing, the BSIMM15 report found a significant increase in organizations conducting abuse case testing, with numbers doubling compared to last year, indicating a growing commitment to proactive security measures as companies recognize the challenges posed by rapidly evolving technologies such as AI and machine learning.

Also known as abuse case testing, adversarial testing involves simulating attacks to identify vulnerabilities and understand potential threat vectors. By adopting these tests, organizations are better positioned to safeguard their applications against both known and emerging threats.

Organizations were also found to be increasingly employing threat research groups to develop new attack methods, with the number up 30% over 2023. By hiring to develop new attack methods, firms can stay ahead of attackers by discovering vulnerabilities before they can be exploited.

Through the integration of findings into their security protocols, companies can build more robust defenses, particularly for AI-driven attack surfaces, which the report notes present new and complex risks.

Regulatory pressure was also noted as continuing to shape software security practices, with BSIMM15 highlighting significant increases in activities aimed at compliance. The report noted a 22% rise in organizations creating SBOMs and a 67% growth in software composition analysis, driven by mandates such as the U.S. Cybersecurity Executive Order and the EU Cyber Resiliency Act.

Along with organizations increasingly implementing SBOMs, firms were also found to be tightening vendor management practices to ensure higher security standards among their suppliers. The growth of activities like enforcing software security service level agreements and ensuring compatible vendor policies are noted as reflecting an increasing commitment to mitigating risks posed by third-party dependencies in an increasingly interconnected ecosystem.

The BSIMM15 report also covers what is referred to as a “Shift Everywhere” philosophy, a strategic evolution from the more traditional “Shift Left” approach to security. Differing from Shift Left, which focuses on identifying vulnerabilities early in development, Shift Everywhere emphasizes integrating security governance and testing across all stages of the software lifecycle. The idea is to ensure that every stakeholder from developers to legal teams has timely access to actionable security data with minimal friction.

Central to the Shift Everywhere philosophy is the use of automation and collaboration to embed security seamlessly into existing processes. Activities such as integrating software-defined lifecycle governance and implementing event-driven security testing highlight how firms are enabling real-time risk management.

Michael Skelton, vice president of operations and hacker success at crowdsourced security company Bugcrowd Inc., told SiliconANGLE via email that “organizations should adopt a structured approach to generate and maintain comprehensive SBOMs.”

“This includes conducting regular software inventories and employing automated tools to ensure accuracy and efficiency,” Skelton said. “Continuous monitoring and updating of SBOMs are crucial to reflect any changes or new additions. Collaboration with vendors is essential to obtain detailed SBOMs for third-party software and firmware, ensuring timely updates and patches. By following these steps, organizations can maintain a comprehensive understanding of their software components, reducing the risk of vulnerabilities and improving their overall cybersecurity posture.”

Image: SiliconANGLE/Flux-1