Software supply chain
The report found that organizations are realizing the supply chain is more than just dependencies. It’s development tools/pipelines, repos, APIs, infrastructure-as-code (IaC), containers, cloud configurations, and more.
While open source software may be the original supply chain concern, the shift toward cloud-native application development has organizations concerned about the risks posed to additional nodes of their supply chain. In fact, 73% of organizations reported that they have “significantly increased” their software supply chain security efforts in response to recent supply chain attacks.
Respondents cited the adoption of some form of strong multifactor authentication technology (33%), investment in application security testing controls (32%), and improved asset discovery to update their organization’s attack surface inventory (30%) as key security initiatives they are pursuing in response to supply chain attacks.
Forty-five percent of respondents cited APIs as the area most susceptible to attack in their organization today. Data storage repositories were considered most at risk by 42%, and application container images were identified as most susceptible by 34%.
OSS risk management: SCA and SBOM
The survey points out that a lack of open source management is threatening SBOM compilation.
The survey found that 99% of organizations either use or plan to use open source software within the next 12 months. While they have many concerns regarding the maintenance, security, and trustworthiness of these open source projects, their most cited concern relates to the scale at which open source is being leveraged within application development. Ninety-one percent of organizations using open source believe their organization’s code is – or will be - composed of up to 75% open source. Fifty-four percent of respondents cited “having a high percentage of application code that is open source” as concern or challenge with open source software. In our own studies, we’ve found a correlation between the scale of open source software (OSS) usage and the presence of related risk.
As the scale of OSS usage increases, its presence in applications will naturally increase as well. Pressure to improve software supply chain risk management has placed a spotlight on software Bill of Materials (SBOM) compilation. With exploding OSS usage and lackluster OSS management, SBOM compilation becomes a complex task—something that 39% of survey respondents in the ESG study marked as a challenge of using OSS.