The BSIMM15 report from Black Duck reveals how security practices are adapting to increased government regulations, AI and ML-related risks, and shifting training strategies. The annual study, now in its 15th year, finds that organizations leveraging cloud platforms tend to have stronger security postures. These organizations integrate penetration testing, automation, and proactive threat mitigation into their security practices. A major theme this year is the rising emphasis on supply chain security, driven by stricter regulations from governments in the United States, the European Union, and other regions.

Jamie Boote, Associate Principal Security Consultant at Black Duck, explains that the report had initially focused on early adopters of secure software practices. However, it has since expanded to analyze industry-wide security trends. The report tracks how companies integrate security throughout the software development lifecycle, providing a catalog of best practices. As organizations face heightened regulatory scrutiny, they must now scrutinize third-party software, open source dependencies, and vendor security measures to remain compliant.

Many security investments are being driven by compliance, with supply chain security emerging as a top priority. Boote explains that companies working with government contracts face heightened scrutiny, requiring them to prove transparency in their software supply chains. Although some companies may initially treat compliance as a checkbox exercise, Boote tells us that the latest regulations are structured in a way that makes it difficult to meet legal requirements without actually improving security practices.

Boote highlights the growing impact of AI and ML on security, noting that while AI offers powerful capabilities, it also introduces new vulnerabilities and risks. He states: “The threats have changed. The attack surface has changed. But the methodology that you use for analyzing them hasn’t changed.” Boote underscores the need for companies to build best practices for AI adoption until industry best practices are in place. By doing this, companies can ensure proper risk assessment, secure implementation, and protection against data integrity issues, model hallucinations, and intellectual property concerns.

The report also finds a strong correlation between cloud adoption and security maturity. Organizations that have migrated to cloud-based environments are more likely to implement security automation, misconfiguration detection, and penetration testing. Boote emphasizes that companies embedding security at every stage of development are best positioned to defend against evolving cyber threats while maintaining regulatory compliance.

The report also identifies a shift in security training approaches. While formal classroom-style training has declined, peer-to-peer and professional learning programs have gained traction. Boote notes that organizations increasingly rely on “security champions” within teams. shifting This suggests that security education is shifting from structured sessions to an integrated part of professional development. Rather than traditional instructor-led training, companies are focusing on real-world security learning embedded into teams’ daily work.

Guest: Jamie Boote
Company: Black Duck
Show: CISO Insights

This summary was written by Emily Nicholls.