Black Duck®, the leader in AI-powered application security, has released BSIMM16, the 16th edition of the Building Security In Maturity Model. The comprehensive study, based on assessments of 111 organizations across industries including financial services, healthcare, technology, and ISVs, reveals how software security initiatives (SSIs) are evolving to address AI adoption, regulatory pressures, and the demand for more agile security training. For the first time in BSIMM's 16-year history, AI has become the dominant force reshaping security priorities, surpassing all other drivers.
Quick Intel
AI as the Defining Force in Application Security
Organizations face dual pressures: securing AI-powered development tools while protecting against AI-augmented threats. BSIMM16 highlights growing adoption of proactive measures, including enhanced attack intelligence to monitor emerging AI vulnerabilities, risk-ranking techniques to assess the safety of LLM-generated code before deployment, and custom rules in automated review tools to catch issues unique to AI-assisted development. These trends reflect the need to address the "illusion of correctness" in polished but potentially flawed AI-produced code.
Regulatory Mandates Accelerating Security Investments
Global regulations, including the EU Cyber Resilience Act and evolving U.S. government requirements, are pushing organizations toward greater transparency and resilience. The sharp increase in SBOM production addresses supply chain visibility needs, while surges in automated infrastructure verification and responsible disclosure processes demonstrate accelerated compliance efforts. These changes mark a shift where regulatory demands are driving foundational security improvements rather than serving as checkboxes.
Rising Focus on Software Supply Chain Security
BSIMM16 shows organizations expanding protection beyond internally developed code to the entire supply chain ecosystem. Significant growth in standardized technology stacks and SBOM adoption for deployed software underscores supply chain security's emergence as a core priority, helping teams understand and mitigate risks from third-party and AI-generated components.
Modernizing Application Security Training
Traditional multi-day courses are giving way to just-in-time, bite-sized learning that integrates with developer workflows. The 29% increase in open collaboration channels for instant security guidance reflects a preference for accessible, contextual expertise. After a period of decline, traditional awareness training shows early signs of rebounding, indicating a balanced approach to building security knowledge.
"The real risk of AI-generated code isn't obvious breakage—it's the illusion of correctness. Code that looks polished and professional can still conceal serious security flaws," said Jason Schmitt, CEO of Black Duck. "We're witnessing a dangerous paradox: developers increasingly trust AI-produced code that lacks the security instincts of seasoned experts. That's why the surge in SBOM adoption reported in BSIMM16 is so critical, since it gives organizations the transparency to understand exactly what's in their software—whether written by humans, AI, or third parties—and the visibility to respond quickly when vulnerabilities surface. As regulatory mandates expand, SBOMs are moving beyond compliance—they're becoming foundational infrastructure for managing risk in an AI-driven development landscape."
BSIMM remains a leading maturity model for software security professionals, helping organizations plan, execute, and measure their initiatives through real-world data collected via in-depth assessments. The stability of the BSIMM framework in this edition underscores the growing maturity of application security practices industry-wide.
This report highlights the accelerating convergence of AI, regulation, and supply chain security in the cybersecurity and AppSec landscape, providing actionable insights for organizations navigating an increasingly complex threat environment.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.