Back to Posts
BSIMM16: Navigating Software Security Amidst AI, Regulation, and Supply Chain Challenges
Posted by Phil Alsop on 16 February 2026 at 10:16 am
  • news

Black Duck, an AI-powered application security solutions provider, recently unveiled the 16th edition of the Building Security In Maturity Model (BSIMM16). This study sheds light on the evolving landscape of software security, particularly in the face of emerging AI, regulatory demands, and agile security training approaches.

AI has emerged as the leading force reshaping application security priorities, marking an important moment in BSIMM's history.

The study, encompassing assessments from 111 organisations within various sectors such as financial services, healthcare, technology, and independent software vendors (ISVs), provides insights. These organisations represent over 223,700 developers working on safeguarding about 91,200 applications.

Key Trends in Application Security:

  • AI as a Defining Challenge: The report reveals an increase in teams using attack intelligence and risk-ranking to ensure AI-generated code safety.
  • Regulatory Influence: Increased by global mandates, there is a heightened focus on software supply chain transparency with increased production of Software Bill of Materials (SBOMs) and automated infrastructure verification.
  • Software Supply Chain Emphasis: Organisations are now prioritising ecosystem-wide security. There's a rise in adopting standardised technology stacks and deploying SBOMs as core essentials.
  • Transformation in Security Training: Traditional courses are transitioning to bite-sized learning models, facilitating instant access to security expertise via collaborative channels.

Jason Schmitt, CEO of Black Duck, commented on the evolving landscape, highlighting how AI-generated code may mislead developers with an "illusion of correctness." This necessitates adopting SBOMs for transparency in understanding the intrinsic components of software, paving the way for proactive risk management.

With impending regulatory expansions, such as the EU Cyber Resilience Act, SBOMs are evolving from compliance tools into vital infrastructure managing the risks associated with AI-driven software development.