Table of Contents

Regulatory pressure is accelerating at an unprecedented pace, and organizations that fail to adapt will soon find themselves on the wrong side of increasingly stringent compliance regulations.

The latest Building Security In Maturity Model (BSIMM) research reveals a trend emerging in response: Forward-thinking organizations are automating key compliance processes to meet these new regulatory demands. Automated Software Bill of Materials (SBOM) generation increased by 30% and automated vulnerability disclosure was up 40% from BSIMM15.

Why Software Security Compliance Can't Be Ignored: EU CRA & FDA Requirements

Over the past few years, we’ve witnessed the cascading impacts of software security vulnerabilities. From critical infrastructure disruptions to data breaches affecting millions, the consequences of exploited software vulnerabilities are too significant to ignore. As a result, governments worldwide are no longer waiting for the software industry to self-regulate.

The EU Cyber Resilience Act (CRA) and Section 524B of the FDA’s Federal Food, Drug, and Cosmetic Act (FDCA Section 524B) are prime examples of how compliance mandates are reshaping software development. This isn't a theoretical future scenario. The compliance clock is already ticking.

Thankfully, software security and compliance are not competing interests. By choosing the right solutions, you can meet compliance requirements while simultaneously improving your overall security posture.

How Automation Streamlines Software Security Compliance: SBOM & Vulnerability Management

Automating SBOM generation and maintenance with a modern software composition analysis (SCA) solution is a good example. Manual SBOM creation is simply too error‑prone and time‑consuming to meet new regulatory expectations. Automating the process improves security posture, meets compliance demands, and frees developers to work on revenue-generating tasks.

Black Duck® SCA automates SBOM generation by continuously scanning and analyzing codebases to identify all open source and third-party components. It integrates seamlessly into CI/CD pipelines and triggers automatic scans with each build or commit, ensuring that SBOMs remain current and accurate throughout the software development life cycle without the need for manual intervention.

Of course, not all compliance processes can be automated. A comprehensive compliance program must facilitate manual processes as well. For example, activities that streamline vulnerability disclosure grew by over 40% since BSIMM15. BSIMM researchers expect to see more growth in manual activities around design reviews, risk assessments, and security requirements in the near future.

BSIMM16: Benchmarking Your Software Security Program

BSIMM is a data-driven model developed through the analysis of real-world software security initiatives. For the 16th edition of our report, we analyzed the software security practices of 111 organizations across a variety of verticals. The report identifies the key trends and activities of your peers in these organizations to help you benchmark your own program.

 

Download BSIMM16

Continue Reading

Explore Topics

Agile, CI/CD
AppSec Best Practices
AI Code Security
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Fuzzing
IAST
M&A
Manage Security Risks
OSS License Compliance
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Web Application Security