Are you worried about software supply chain attacks?
Very worried
33%
Somewhat worried
33%
A little worried
18%
Not very worried
7%
Not at all worried
9%
Which of these do you include as part of your software supply chain security analysis today?
1st party code; 3rd party open-source dependencies; containers; pipeline tools
55%
3rd party open-source dependencies, and containers only
17%
3rd party open-source dependencies only
11%
We aren't focusing on software supply chain security today
16%
Do you currently produce software bill of materials (SBOMs) for your applications?
All of my applications
17%
Most of my applications (70 - 90%)
20%
Some of my applications (40 - 70%)
11%
A few of my applications (10 - 40%)
17%
None of my applications
36%
Of those SBOMs produced, how many are published?
All of my SBOMs are published
23%
Most of my SBOMs are published (70 - 90%)
23%
Some of my SBOMs are published (40 - 70%)
13%
A few of my SBOMs are published (10 - 40%)
20%
None of my SBOMs are published
23%
What are the main drivers for using SBOM? (select all that apply)
Improving vulnerability response
53%
Mandate from senior management
28%
Regulatory requirement
39%
Third-party/Partner risk management reporting
45%
I heard about it and it seems cool
24%
What are the key factors considered in your selection of open-source packages? (select all that apply)
Functionality
66%
Widespread use/Popularity
42%
Security/Risk
57%
Project Maturity
50%
Community development, fixes and support
57%
How do you secure the open-source software used in your applications? (select all that apply)
Only authorized packages are allowed to be used
45%
Require signed components in CI process
36%
Software Composition Analysis
39%
Monitor vulnerability reports
52%
Software inventory tracking (SBOM)
36%