More than half (58%) of respondents require third-party penetration test reports to validate software security.

In 2008, 100% of organizations in BSIMM1 conducted software security awareness training. By BSIMM15, this rate has declined to 51.2% of organizations, marking the lowest rate to date.