A survey of 100 security professionals finds nearly half (48%) of security professionals admit their organizations are falling behind on meeting software bill material (SBOM) requirements as specified by the U.S. Office of Management and Budget (OMB) Memo M-22-18, Executive Order 14028, and the European Union (EU) Cyber Resilience Act.
Conducted during the recent RSAC conference by Lineaje, a provider of tools and services for securing software supply chains, the survey also finds a nearly equal percentage (47%) have either not started SBOM integration or are still evaluating tools and practices.
Additionally, just over a third conceded their organization still has difficulty identifying and tracking open-source components in applications accurately, while nearly a third (29%) still lack the tools and processes needed to analyze SBOMs for vulnerabilities.
As a result, only 38% of respondents said their organization prioritizes fixing the most vulnerable areas within their applications,
On the plus side, a full (88%) of respondents expect artificial intelligence (AI) to have the potential to critically or significantly enhance software supply chain security visibility. At the same time, respondents are also aware that AI also introduces additional data security and privacy risks (35%) as well as potential vulnerabilities when used to write code (26%).
Lineaje CISO Nick Mistry said AI should also make it simpler to determine whether a fix is available for a vulnerability. However, while there seems to be a lot of confidence being placed in the ability of AI to improve software supply chain security, there is still much work to be done, he added. In fact, it’s already been shown how ChatGPT can be used to create an exploit for 87% of known vulnerabilities, so the number of vulnerabilities that might be exploited is about to substantially increase, noted Mistry.
AI tools have also experienced hallucinations that result in references to software packages that don’t exist. Cybercriminals are now creating software packages that bear the same name as part of an effort to fool developers into downloading software packages that have malicious code, said Mistry.
Despite those concerns, however, just under a third (32%) of survey respondents said they believe their organization will one day deliver software that has no vulnerabilities. In contrast, 68% said they are uncertain that goal might ever be achieved.
Ultimately, the ability to build and deploy secure applications comes down to processes. Unfortunately, most of the processes being used to identify vulnerabilities and then mitigate them are still flawed, said Mistry. There is still a tendency to create long lists of vulnerabilities that are then thrown over the proverbial wall for application developers to investigate. Much of that effort, however, is wasted when it is determined that an application that might have a vulnerability is either not externally accessible or the code suspected of having a vulnerability was never actually loaded into memory.
More troubling still, 70% of the survey respondents admit that when a fix is not available for a vulnerability, they either don’t have or are not sure if they have an alternative remediation plan in place.
It’s clear that organizations need a more unified view of vulnerabilities that will enable cybersecurity and application developers to work more collaboratively, noted Mistry. The challenge and the opportunity now is to provide those insights into software supply chain security in a way that enables everyone involved to see the same issues not just the same way, but also at the same time.