A global survey of 1,224 software engineering professionals working at organizations with more than 1,000 employees suggests a significant gap has emerged between what senior executives believe is being done to improve application security and what might actually be occurring.

Conducted by Atomik Research on behalf of JFrog, a provider of a DevSecOps platform, the survey finds that 67% of the 331 executives and managers surveyed believe code-level security scans are conducted regularly but only 41% of the developers concurred.

A full 88% of executives also said they believe artificial intelligence AI and machine learning tools are being used for security scanning and remediation processes. However, only 60% of DevSecOps teams reported they are actually using these tools. Just over 90% of executives also believe they are using machine learning models in their software applications, whereas only 63% of developers confirm that is true.

Similarly, 92% of executives claim their organizations possess tools to detect malicious open-source packages, while only 70% of developers agreed.

JFrog Field CISO Paul Davis said the disconnect between executives and rank-and-file developers most likely stems from the simple fact many organizations are still on the journey when it comes to re-engineering DevSecOps workflows. The challenge is each organization is starting that journey from a different place and as such they are progressing at different paces that are often difficult to quantify.

Making matters more challenging, however, is the fact that only 30% of all survey respondents identified the need to address vulnerabilities in their software supply chain as a top security concern. It’s not exactly apparent why less than a third of respondents are concerned about vulnerabilities despite their prevalence but the survey results suggest there is either a level of potential overconfidence or that other more pressing issues might be taking precedence.

Securing Software Supply Chains With or Without Regulation

It’s not clear how much influence regulations might have on spurring organizations to better secure their software supply chains. The European Union (EU), for example, is advancing the Cyber Resilience Act (CRA) that requires organizations to secure the software supply chain for any software that is sold, but other countries have yet to follow suit. In the absence of an actual regulation, it’s up to each organization to determine how best to secure its software supply chain against cyberattacks.

The most common form of those attacks typically involves stealing the credentials needed to access an application development environment. Once cybercriminals gain access, they will over an extended period attempt to embed malware into a workflow in the hopes that malware will find its way into multiple downstream applications. At the same time, cybercriminals are also targeting open-source software repositories by pretending to be interested contributors, before similarly injecting malware into a tool or software component that might be used by thousands of organizations.

Hopefully, advances in artificial intelligence (AI) will soon make it easier to identify and remediate these types of threats. In the meantime, however, the level of disconnect between developers and managers concerning what is being done to ensure software supply chains are secure is, at the very least, disconcerting.