BSIMM15 highlights compliance and AI security: Why modern tooling is key

An increase in compliance activities such as the creation of software bills of materials (SBOMs), performing software composition analysis (SCA) scans on code repositories, and securing the attack surface created by artificial intelligence (AI) applications are among the key software security trends highlighted in the latest edition of the Building Security in Maturity Model (BSIMM) report.

The annual BSIMM report, first introduced in 2008, analyzes the software security practices of organizations across eight verticals. It contains information on what’s working, what isn’t, what’s changing about the risks and threat landscapes in software security — and how organizations are responding to those challenges. By comparing and contrasting their initiatives to what other organizations are doing, organizations can use the report as a measuring stick for software security. 

More than 120 companies participated in the latest report, BSIMM15 — including the AARP, Aetna, Bank of America, Diebold Nixdorf, Eli Lilly and Company, Fidelity, Honeywell, Johnson & Johnson, Lenovo, MassMutual, Navy Federal Credit Union, SonicWall, Synchrony Financial, TD Ameritrade, Vanguard, and ZoomInfo — as well as 11,100 security professionals who collectively help 270,000 developers working on 96,000 applications.

But while legacy application security practices are good for general blocking and tackling against traditional software threats, they are no match for modern attacks coming from the software supply chain and AI/ML. Here are key takeaways from the BSIMM15 report — and why you need to go well beyond traditional AppSec practices to manage modern software risk. 

[ Get our Essential Guide: Software Supply Chain Security for Dummies ]

A real world look into today’s software threats and practices

Key trends and insights in this year’s BSIMM include:

1. Organizations are grappling AI and ML. The opportunities and risks of artificial intelligence (AI) and machine learning (ML) are paramount for organizations. Key is the rise of AI-developed code with tools such as GitHub’s Copilot.

The BSIMM15 report noted:

“When we talk to clients about what they’re trying to do and the problems they have doing it, we see a wide variety of pain points, but in general, the problem that everybody is struggling with is uncertainty. There isn’t a lot of well-understood guidance out there, so they’re having to find the answers themselves. That uncertainty appears to be contributing to the formation of research groups to develop new attack methods — which increased 30% from BSIMM14 — and a doubling of the use of adversarial tests.”

2. Organizations are getting on board with compliance. Nudged by the self-attestation requirements for selling software to the U.S. government, organizations are prioritizing activities that support compliance and software supply chain security, such as creating SBOMs and performing software composition analysis (SCA) on code repositories. Organizations creating SBOMs for deployed software increased 22% over BSIMM14, while those performing SCA on repos jumped 67%.

3. Security awareness training is in decline. Compared to BSIMM1, when 100% of organizations conducted software security awareness training, only 51.2% in BSIMM15 are providing basic security training to their teams, marking the lowest rate observed to date.

The struggle with AI is two-fold

ReversingLabs chief trust officer Saša Zdjelar said the rise of AI, both within the organization and for software development, had left organizations flat footed. On the generative AI front, they’re being pushed by their businesses into faster and faster adoption of AI without really sufficient governance on how to manage it safely.

“I think one of the biggest problems is most companies don’t even fully know where AI is even being used. They’re struggling to wrap their arms around how much of other people’s AI they’re already using. And when they build their own, they want to know which large language model is OK … How do you make it not just secure, but also actually safe, so it’s not providing inappropriate answers that damage the brand and reputation of your company?”
—Saša Zdjelar

And software supply chain risks are also being created by AI and ML implementations used to develop software, said Mike Lyman, one of the authors of the report and an associate principal consultant with Black Duck Software, BSIMM’s sponsor. “We don’t necessarily know where all that code is coming from. It may introduce risk like open source licensing risks. It may suggest using a code snippet that comes out of an open-source library with a copyleft license that requires you to release your code. So we’ve got to recognize that type of stuff,” he said

Lyman said that’s why AppSec teams really need to focus on code reviews for everything, noting how many of the flawed code that has been written by humans is now being repurposed by ML.

“A lot of people don’t realize that AI is learning to write code by looking at code we wrote. We’ve never written perfect code, so AI is going to be making the same mistakes that we make in our code.”
—Mike Lyman

Software supply chain risk and shift everywhere

Jason Soroko, a senior fellow at Sectigo, said that the rise in use of SCA and SBOMs identified in BSIMM15 is a sign a growing interest in software supply chain security.

“It indicates a growing appetite for systemic transparency and compliance. Organizations are finally acting on the idea that you can’t defend what you don’t understand.”

However, Soroko warned that it remains to be seen whether these incremental improvements “risk being undone if core security knowledge and security culture decreases,” which was also highlighted in the report.

RL’s Zdjelar said that he welcomed BSIMM15’s focus on software supply chain risk, but said that organizations need to shift everywhere — across their entire software stacks — to manage risk across organizations.

“[BSIMM15] mentions software supply chain risk, but it’s only in areas like software bill of materials and open source, not really around how software supply chain risks get introduced into companies by way of commercial software. If you think about how supply chain breaches have happened over the last six or seven years, all the breaches have been from commercial software packages, not open source.”
—Saša Zdjelar

The decline in training programs is worrying

The decline in security awareness training identified in BSIMM15 has been a trend since the start of the program, BlackDuck’s Lyman said. “BSIMM1 started with 100%, but there were only nine software security leaders in that first study,” he said.

As soon as firms were added, it began to decline, he said. “It’s been on a slow, steady decline since BSIMM2, from about 80% to a low now of 51% doing basic software security awareness training”

“We think a lot of that’s driven by budgets and also a been-there-done-that attitude. Companies have a software security training program and feel they don’t have to revisit it. It falls out being a priority. And as most of us know, if it’s not a priority, it tends to decay over time. So we think a lot of that’s been what’s in play.”
—Mike Lyman

Another thing playing into the decline is a lot of companies mistaking their annual general security awareness training for software security training. “Knowing how to avoid a phishing email, not clicking on suspicious links, and how to avoid malware, is very important, but it doesn’t really tell you how to write secure code,” he said.

Zdjelar said that there seems to be a decline in formal education when it comes to the right way to develop code, and a reliance on tools to do the work for you.

“I think it’s a very, very dangerous precedent because the tooling is also built by humans, humans who make mistakes in what is good, secure software. So I think it’s a very, very bad practice to trend away from developer education and have over-reliance on tooling.”
—Saša Zdjelar

What’s needed for modern software supply chain security

While the BSIMM data from real-life organizations are significant, Caroline Wong, director of cybersecurity at Teradata, said they are not representative of the mainstream. 

“I think of it as the top 25% or so of existing software security initiatives that are included in the BSIMM study. These are organizations who take software security seriously and are on the cutting edge of innovation and maturity in this area.”
—Caroline Wong

Wong said the fact that BSIMM remains a descriptive and not a prescriptive model is meaningful. “These activities have not simply been identified as ‘a good idea’ by a smart person, but rather a valuable enough idea that it passes ROI evaluations at an organization and has enough resource allocation to be considered active and operational,” she said

Zdjelar said the problem with BSIMM is that it is not forward looking. He would like to see the next edition of BSIMM include more emphasis on software supply chain security risks posed by commercial software. And that means having the right tools for the job.

Traditional application security testing (AST) tooling like SCA and other code scanning approaches are not capable of identifying modern threats, he said. 

“Right now BSIMM  mentions traditional legacy things like static code analysis and dynamic scanning. But they’re missing what the most advanced companies are doing to manage their risk, which is binary analysis.”
—Saša Zdjelar

Zdjelar explained that binary analysis can flag supply chain threats that traditional AST tools can’t find.

 “SAST, DAST and SCA tools are not designed to find the presence of malware or presence of tampering or the fact that your CI/CD pipeline might have been compromised. That’s not what they look for.”   

*** This is a Security Bloggers Network syndicated blog from Blog (Main) authored by John P. Mello Jr.. Read the original post at: https://www.reversinglabs.com/blog/bsimm15-sbom-ai-security-modern-tooling