The BSIMM16 comprehensive study is based on assessments of 111 organizations across multiple industry verticals including financial services, healthcare, technology, and independent software vendors (ISVs). The report provides unprecedented insights into real-world application security practices protecting approximately 91,200 applications developed by 223,700 developers.
The BSIMM16 study reveals several key trends and insights, including:
- AI is now the defining challenge in application security. Organizations are simultaneously securing AI-powered coding assistants and defending against AI-enabled attacks. BSIMM16 highlights three major shifts: a 10% rise in teams using attack intelligence to track emerging AI vulnerabilities; a 12% increase in using risk-ranking methods to determine where LLM-generated code is safe to deploy; and a 10% uptick in applying custom rules to automated code review tools to catch issues unique to AI-generated code.
- Government regulations are accelerating major security investments. Global mandates are pushing organizations to strengthen application security, with a sharp focus on software supply chain transparency and securing development environments. Nearly 30% more organizations are now producing SBOMs to meet transparency requirements. BSIMM16 also reports a 50%+ surge in automated verification of infrastructure security and more than 40% growth in streamlining responsible vulnerability disclosure—driven by the EU Cyber Resilience Act and evolving U.S. government demands.
- Software supply chain security is rapidly rising in importance. Organizations are expanding their focus beyond internally developed code to secure the entire software supply chain ecosystem. In addition to the significant increase in SBOM adoption for deployed software, BSIMM16 observes more than a 40% rise in establishing standardized technology stacks—clear signs that supply chain security is becoming a core priority.
- Application security training is undergoing a major shift. Traditional multi-day security courses are being replaced by just-in-time, bite-sized learning that fits modern development workflows and learner preferences. BSIMM16 reports a 29% increase in organizations delivering expertise through open collaboration channels, giving teams instant access to security guidance. Notably, after years of decline, traditional awareness training is beginning to rebound.
“The real risk of AI-generated code isn’t obvious breakage—it’s the illusion of correctness. Code that looks polished and professional can still conceal serious security flaws,” said Jason Schmitt, CEO of Black Duck. “We’re witnessing a dangerous paradox: developers increasingly trust AI-produced code that lacks the security instincts of seasoned experts. That’s why the surge in SBOM adoption reported in BSIMM16 is so critical, since it gives organizations the transparency to understand exactly what’s in their software—whether written by humans, AI, or third parties—and the visibility to respond quickly when vulnerabilities surface. As regulatory mandates expand, SBOMs are moving beyond compliance—they’re becoming foundational infrastructure for managing risk in an AI-driven development landscape.”
Established in 2008, BSIMM is a maturity model that tracks the activities of software security professionals. It helps organizations plan, execute, and measure their software security initiatives. BSIMM data is collected through comprehensive interviews conducted during assessments by security professionals, after which the anonymized data is analyzed to identify trends in software security practices.
For the first time in its history, BSIMM16 introduces no changes to the framework structure, signaling the maturity and stability of application security practices across the industry.
To learn more, download the BSIMM16 report here.
Acknowledgements
Black Duck would like to thank Jamie Boote, Ben Hutchison, Mike Lyman, and Sam Schueller, authors of the BSIMM16. Additional thanks to the nearly 170 individuals who helped gather the data for the BSIMM data pool, along with the 111 executives from the SSIs we studied to create BSIMM16.
