Black Duck

54% of organizations using at least four compliance controls remediate critical vulnerabilities within a day.

76% of organizations check AI code for security risks.

Organizations that effectively track and manage open source dependencies are 85% more prepared to secure open source software compared to the overall average of 57%.

63% of respondents that prioritize SBOM validation say they're highly prepared to evaluate third-party software.

60% of organizations that perform automatic continuous monitoring report remediating critical software vulnerabilities within a day.

Only 24% of organizations have adopted comprehensive strategies to secure AI-generated code.

35% of respondents cite interpreting and operationalizing complex regulatory requirements as their biggest challenge.

Only 45% of the full respondent pool say they remediate critical software vulnerabilities within a day.

59% of respondents that prioritize SBOM validation typically respond to critical software vulnerabilities within one day.

95% of surveyed organizations reported using AI tools in software development.

49% of organizations using at least three compliance controls remediate critical vulnerabilities within a day.

31.5% of organizations produce SBOMs due to industry regulations.

96.1% of organizations are integrating open source AI models into their products.

18% of companies are affected by "Shadow AI".

21.1% of companies lack confidence in their ability to prevent AI from introducing security vulnerabilities.

70.8% of organizations now produce Software Bills of Materials (SBOMs).

39.4% of organizations produce SBOMs due to customer and partner requirements.

89.3% of organizations are already using AI-powered coding assistants.

A decisive shift towards memory-safe languages has been adopted by 80.4% of companies.

91% of audited applications contain outdated open source software components.

86% of audited applications contained open source vulnerabilities, with 81% containing high- or critical-risk vulnerabilities.

The number of open source files in an average application has tripled over the last four years.

64% of open source components were transitive dependencies.

56% of all audited applications had license conflicts.

97% of all applications evaluated contained open source software.

Nearly 30% of component license conflicts were caused by transitive dependencies.

90% of the applications contain components more than 10 versions behind the most current version.

33% had open source software components with no license or a customized license.

Automated verification of infrastructure security surged by more than 50%.

Teams using attack intelligence to track emerging AI vulnerabilities increased by 10%.

Application of custom rules to automated code review tools to catch issues unique to AI-generated code increased by 10%.

Use of risk-ranking methods to determine where LLM-generated code is safe to deploy increased by 12%.

Streamlining of responsible vulnerability disclosure grew by more than 40%.

Organizations delivering expertise through open collaboration channels increased by 29%.

Establishment of standardized technology stacks rose by more than 40%.

Nearly 30% more organizations now produce SBOMs to meet transparency requirements.

The number of organisations conducting adversarial tests (abuse cases) has doubled year-on-year.

There has been a 67% increase in the number of organisations performing software composition analysis (SCA) on code repositories.

The number of organisations employing research groups to develop new attack methods has grown by 30%.

A 22% rise in the number of organizations creating software bills of materials (SBOMs) for deployed software has been observed.

In 2008, 100% of organizations in BSIMM1 conducted software security awareness training. By BSIMM15, this rate has declined to 51.2% of organizations, marking the lowest rate to date.

Only 51.2% of organisations now offer basic security training, which is the lowest rate observed since the BSIMM initiative began in 2008.