A survey of 106 leaders and practitioners involved in software supply chain security finds more than three-quarters of respondents (76%) work for organizations that have made software supply chain security a significant or top (24%) priority.
Conducted by Anchore, a provider of a software composition analysis (SCA) tool, the survey also finds that 59% of respondents are part of a cross-functional or dedicated team focused on software supply chain security.
Verifying the security of third-party software (46%), the security of open-source software (42%) and the security of the development toolchain (34%) are the top three challenges organizations are encountering. The top priorities are to reduce open-source risk (31%), automate scans across the software development lifecycle (26%), and improve the security of the DevOps toolchain (17%).
Overall, 40% of respondents report their software supply chain has been attacked in the past 12 months, with 21% experiencing a significant impact. Just under a quarter (24%) discovered multiple attacks.
On the plus side, nearly half (49%) are now creating software bills of materials (SBOMs), with 78% planning to increase their usage in the next 18 months. Under half of respondents follow best practices like creating SBOMs for software they develop (49%) or open source software they use (45%) or request from vendors (41%).
Only 10% of respondents currently have a strategy for using the Vulnerability Exploitability Exchange (VEX) format, while 12% consume VEX docs and 8% produce them. One-quarter of respondents expect to adopt VEX in the next six months, and another 15-20% plan to adopt it within 18 months.
Additionally, only 21% of respondents have full visibility of the open-source software components their organization uses, the survey finds.
Josh Bressers, vice president of security for Anchore, said that while there is much work still to be done increased usage of SBOMs suggests that a lot of progress in terms of adopting best DevSecOps practices is being made. Much of that progress is being driven by compliance requirements that are becoming more stringent, he added.
The survey finds on average organizations now comply with 4.9 regulations and standards and well over a third (35%) are making a significant effort to comply with government regulations and standards.
In the long term, a majority of respondents are concerned about the impact artificial intelligence (AI) will have on software supply chain security. The biggest concerns are with code tested with AI (35%) and code generated with AI (32%) or with Copilots (27%).
In general, investment in DevSecOps continues to increase. A separate Techstong Research survey finds that while less than half (47%) of respondents work for organizations that regularly employ best DevSecOps practices, a full 59% of respondents said they are also making further investments in application security, with 19% describing their investment level as high. At the same time, 64% of respondents are investing in a code scanning tool, with 24% describing those investments as high, as well.
As a result, it’s now more a question of when and to what degree the security of software supply chains is about to improve.