BURLINGTON, Mass., Feb. 4, 2026 /PRNewswire/ — Black Duck®, a leader in AI-powered application security, has unveiled the 16th edition of the Building Security In Maturity Model (BSIMM16). This edition outlines how organizations around the globe are reconfiguring their software security initiatives to tackle risks associated with AI adoption, increasing regulatory demands, and the need for more dynamic training methodologies. Notably, AI has emerged as the foremost factor reshaping security priorities for the first time in BSIMM’s history.
The comprehensive study draws from assessments of 111 organizations across diverse sectors, including financial services, healthcare, technology, and independent software vendors (ISVs). It provides crucial insights into real-world application security practices, aimed at safeguarding approximately 91,200 applications developed by 223,700 developers.
Among the report’s significant findings, it reveals that AI has become the defining challenge in application security. Companies are now tasked with securing AI-driven coding assistants while also defending against potential AI-enabled attacks. The BSIMM16 study highlights three compelling trends: a 10% increase in teams utilizing attack intelligence to monitor emerging AI vulnerabilities, a 12% uptick in implementing risk-ranking methods to assess the safety of LLM-generated code, and a 10% rise in the application of custom rules in automated code review tools to identify issues unique to AI-generated outputs.
In addition to the challenges posed by AI, government regulations are prompting organizations to make substantial investments in application security. The report indicates that nearly 30% more organizations are now producing Software Bill of Materials (SBOMs) to fulfill transparency mandates. Moreover, there has been a more than 50% increase in the automated verification of infrastructure security, alongside over 40% growth in initiatives aimed at streamlining responsible vulnerability disclosure. These shifts are largely influenced by the EU Cyber Resilience Act and evolving requirements from the U.S. government.
Another key trend identified in BSIMM16 is the rising importance of software supply chain security. Companies are extending their focus beyond their internally developed code to encompass the entire software supply chain ecosystem. This includes a notable increase in SBOM adoption for deployed software and more than a 40% rise in the establishment of standardized technology stacks, indicating that supply chain security is becoming a pivotal concern.
Application security training is also witnessing a significant transformation. The traditional model of multi-day security courses is increasingly being supplanted by just-in-time, bite-sized learning that aligns with contemporary development workflows and learner preferences. The findings show a 29% increase in organizations providing expertise through open collaboration channels, offering teams immediate access to security guidance. Interestingly, after years of decline, traditional security awareness training is starting to see a rebound.
Jason Schmitt, CEO of Black Duck, emphasized the risks associated with AI-generated code, stating, “The real risk of AI-generated code isn’t obvious breakage—it’s the illusion of correctness. Code that looks polished and professional can still conceal serious security flaws.” He noted a troubling paradox: developers are increasingly placing trust in AI-produced code that may lack the security acumen of experienced professionals. Schmitt underscored the significance of the surge in SBOM adoption, which provides organizations with essential transparency to fully understand the contents of their software—irrespective of whether it is generated by humans, AI, or third parties. As regulatory mandates expand, SBOMs are evolving from mere compliance tools to foundational infrastructures for managing risk in an AI-imbued development landscape.
Established in 2008, BSIMM serves as a maturity model that tracks the activities of software security professionals, aiding organizations in planning, executing, and measuring their software security initiatives. The data for BSIMM is collected through extensive interviews conducted by security professionals during assessments, followed by an analysis of the anonymized data to identify prevailing trends in software security practices.
For the first time in its history, BSIMM16 maintains the same framework structure, signaling both the maturity and stability of application security practices within the industry. To learn more about these insights, the BSIMM16 report is available for download along with a detailed blog post.
About Black Duck
Black Duck® addresses the board-level risks of modern software with True Scale Application Security, ensuring uncompromised trust in software for the regulated, AI-driven world. Black Duck solutions allow organizations to navigate the trade-offs between speed, accuracy, and compliance while minimizing security, regulatory, and licensing risks. With capabilities in both cloud and on-premises environments, Black Duck is positioned as the sole choice for securing mission-critical software across various development landscapes. For more information, visit www.blackduck.com.
OpenAI’s Rogue AI Safeguards: Decoding the 2025 Safety Revolution
US AI Developments in 2025 Set Stage for 2026 Compliance Challenges and Strategies
Trump Drafts Executive Order to Block State AI Regulations, Centralizing Authority Under Federal Control
California Court Rules AI Misuse Heightens Lawyer’s Responsibilities in Noland Case
Policymakers Urged to Establish Comprehensive Regulations for AI in Mental Health
