Exploring the Transformative Impact of AI on Application Security through BSIMM16 Insights
On February 4, 2026, Black Duck, a leader in AI-powered application security, unveiled BSIMM16, the latest edition of their Building Security In Maturity Model. This groundbreaking 16th release reveals significant transformations in the way organizations approach software security initiatives (SSIs). The study analyzes data from 111 organizations spanning diverse sectors, including finance, healthcare, and technology, which collectively oversee approximately 91,200 applications managed by 223,700 developers.
One of the most notable findings from BSIMM16 is that AI has emerged as the primary influence on application security, surpassing all other factors. This shift necessitates a dual approach: organizations must not only secure AI-driven coding tools but also protect themselves from potential AI-generated threats. The report identifies three essential changes: there’s a 10% increase in teams utilizing attack intelligence to monitor emerging AI vulnerabilities, a 12% rise in the application of risk-ranking methods to evaluate the safety of code produced by Large Language Models (LLMs), and a 10% uptick in custom rules being applied in automated code review systems to identify issues unique to AI-generated code.
Moreover, external pressures from government regulations are compelling organizations to make significant investments in application security. BSIMM16 highlights a remarkable 30% increase in the production of Software Bill of Materials (SBOM) to meet the growing transparency requirements imposed by global mandates. In addition, there's been a reported 50% growth in automated infrastructure security checks and more than 40% in the optimization of responsible vulnerability disclosure processes. These changes are largely influenced by the EU Cyber Resilience Act and a spectrum of expectations from the U.S. government.
The importance of securing the software supply chain has also seen a significant rise. Organizations are now expanding their focus beyond just internally developed code to encompass the entire software ecosystem. BSIMM16 illustrates a notable increase in SBOM utilization and a 40% rise in the establishment of standardized technology stacks, reinforcing that supply chain security is now a core priority for many companies.
Application security training has also undergone a paradigm shift. In response to modern development workflows and learner preferences, traditional lengthy training courses are being replaced with more concise, just-in-time training methods. BSIMM16 reports a remarkable 29% increase in organizations providing security expertise through collaborative channels, affording teams immediate access to guidance. Interestingly, after years of decline, traditional awareness training is finally beginning to see a resurgence.
According to Jason Schmitt, CEO of Black Duck, the real peril posed by AI-generated code is not always apparent; while it may seem polished, it can hide critical security vulnerabilities. Developers are increasingly placing trust in AI-generated outputs, which lack the innate security instincts that seasoned experts provide. This makes the rise in SBOM adoption, as highlighted in BSIMM16, particularly crucial, granting organizations the transparency needed to understand their software components, whether created by humans, AI, or third parties. With regulatory standards evolving, SBOMs are transitioning from mere compliance tools to foundational elements for effective risk management in an AI-centric development environment.
Having been established in 2008, BSIMM acts as a maturity model that monitors the activities of software security professionals. It assists organizations in strategizing, implementing, and assessing their software security initiatives based on thorough interviews and assessments conducted by security experts. Notably, for the first time in its history, BSIMM16 maintains the same framework structure, underscoring the maturity and consistency of application security practices within the industry.
To gain a deeper understanding of these findings, organizations and stakeholders are encouraged to download the BSIMM16 report and explore detailed commentary on the study's implications for the future of software security.
One of the most notable findings from BSIMM16 is that AI has emerged as the primary influence on application security, surpassing all other factors. This shift necessitates a dual approach: organizations must not only secure AI-driven coding tools but also protect themselves from potential AI-generated threats. The report identifies three essential changes: there’s a 10% increase in teams utilizing attack intelligence to monitor emerging AI vulnerabilities, a 12% rise in the application of risk-ranking methods to evaluate the safety of code produced by Large Language Models (LLMs), and a 10% uptick in custom rules being applied in automated code review systems to identify issues unique to AI-generated code.
Moreover, external pressures from government regulations are compelling organizations to make significant investments in application security. BSIMM16 highlights a remarkable 30% increase in the production of Software Bill of Materials (SBOM) to meet the growing transparency requirements imposed by global mandates. In addition, there's been a reported 50% growth in automated infrastructure security checks and more than 40% in the optimization of responsible vulnerability disclosure processes. These changes are largely influenced by the EU Cyber Resilience Act and a spectrum of expectations from the U.S. government.
The importance of securing the software supply chain has also seen a significant rise. Organizations are now expanding their focus beyond just internally developed code to encompass the entire software ecosystem. BSIMM16 illustrates a notable increase in SBOM utilization and a 40% rise in the establishment of standardized technology stacks, reinforcing that supply chain security is now a core priority for many companies.
Application security training has also undergone a paradigm shift. In response to modern development workflows and learner preferences, traditional lengthy training courses are being replaced with more concise, just-in-time training methods. BSIMM16 reports a remarkable 29% increase in organizations providing security expertise through collaborative channels, affording teams immediate access to guidance. Interestingly, after years of decline, traditional awareness training is finally beginning to see a resurgence.
According to Jason Schmitt, CEO of Black Duck, the real peril posed by AI-generated code is not always apparent; while it may seem polished, it can hide critical security vulnerabilities. Developers are increasingly placing trust in AI-generated outputs, which lack the innate security instincts that seasoned experts provide. This makes the rise in SBOM adoption, as highlighted in BSIMM16, particularly crucial, granting organizations the transparency needed to understand their software components, whether created by humans, AI, or third parties. With regulatory standards evolving, SBOMs are transitioning from mere compliance tools to foundational elements for effective risk management in an AI-centric development environment.
Having been established in 2008, BSIMM acts as a maturity model that monitors the activities of software security professionals. It assists organizations in strategizing, implementing, and assessing their software security initiatives based on thorough interviews and assessments conducted by security experts. Notably, for the first time in its history, BSIMM16 maintains the same framework structure, underscoring the maturity and consistency of application security practices within the industry.
To gain a deeper understanding of these findings, organizations and stakeholders are encouraged to download the BSIMM16 report and explore detailed commentary on the study's implications for the future of software security.
Topics Consumer Technology)
【About Using Articles】
You can freely use the title and article content by linking to the page where the article is posted.
※ Images cannot be used.
【About Links】
Links are free to use.