A global survey of 900 application security professionals finds nearly two-thirds work for organizations that have had their software supply chains compromised in the past two years, with 18% being victimized in the last year.
Conducted by Checkmarx, a provider of application security testing tools, the survey also finds that 100% of respondents are aware of a breach of their software supply chain that occurred at some point in the past.
Not surprisingly, the survey finds three-quarters of respondents (75%) are now either very concerned (39%) or concerned (36%) about the security of their software supply chain.
Additionally, well over half (57%) said software supply chain security is a top or significant area of focus, with 54% planning to use or investigate some type of solution. However, only 7% have acquired and implemented a tool or platform to specifically secure their software supply chains, the survey finds.
On the plus side, half (50%) are now requesting software bill of materials (SBOMs) from entities that provide their organization with software, but fewer than half (47%) said their organization can effectively operationalize SBOMs, the survey finds.
Renny Shen, vice president of portfolio marketing for Checkmarx, said the challenge is the scope of the effort required to secure software supply chains is significant. In addition to SBOMs and deploying tooling to discover vulnerabilities and malware, DevSecOps teams also need to, for example, embrace zero-trust initiatives to secure access to their software supply chain.
There is no single tool or platform that enables DevSecOps teams to achieve that goal, he added.
In general, securing software remains challenging because even if a vulnerability is discovered a DevSecOps team may not be able to fix it, noted Shen. For example, well over half (56%) of the applications deployed are based on open-source code packages that organizations are dependent on external maintainers to update.
On the plus side, however, software supply chain security has become a C-level discussion, said Shen. The challenge is that many organizations have yet to define a set of key performance indicators (KPIs) that enable them to ensure best DevSecOps practices are being adopted. Right now, there is not enough emphasis on application security so developers will continue to focus most of their time and effort on writing new code rather than fixing existing code, he noted.
Unfortunately, most organizations don’t prioritize application security so until there is a fundamental shift in incentives it’s not likely developers will spend more time remediating vulnerabilities. There has been an effort to shift more responsibility for security further left toward developers, which has been met with mixed success. Developers generally have access to more tools but unless those tools are surfacing issues as developers write code it’s not likely they will have a meaningful impact on improving the overall state of application security.
Hopefully, the rise of generative artificial intelligence (AI) will soon make it simpler to find and remediate vulnerabilities by, for example, automatically creating the required patch. In the meantime, however, securing software supply chains requires a level of vigilance that despite best intentions remains difficult to achieve and maintain.