One survey may hold clues to the trend, given the growing number of vulnerabilities attributed to open source software and Infrastructure-as-Code
In a recent North America survey on software supply chain security across 350 IT (30%) and cybersecurity decision makers (40%), and application developers (30%) at midmarket (100 to 999 employees) and enterprise (1,000 or more employees) firms responsible for evaluating, purchasing, and utilizing developer-focused security products, 73% of respondents had indicated they had increased their efforts to secure their organizations’ software supply chain significantly through a variety of security initiatives, after knowing about high profile software supply chain attacks such as Log4Shell, SolarWinds, and Kaseya.
The initiatives mentioned included the adoption of some form of strong multi-factor authentication technology (33%); investment in application security testing controls (32%), and improved asset discovery to update their organization’s attack surface inventory (30%).
Other findings include:
- 34% of respondents indicated that their applications had been exploited due to a known vulnerability in open source software (OSS) within the last 12 months, with 28% having suffered a previously unknown (“zero-day”) exploit found in OSS.
- 39% of respondents indicated that the compilation of software Bills of Materials (SBOMs) was a challenge in the use of OSS. SBOMs facilitate quick development of effective patches when zero day vulnerabilities are reported/detected.
- 45% of respondents identified APIs as the vector most susceptible to attack, along with data storage repositories (42%) and application container images (34%).
- 99% of respondents indicated that their organizations either used, or plan to use, OSS within the next 12 months, with 54% citing “having a high percentage of application code that is open source” as their primary concern.
- 97% of respondents had indicated having experienced a security incident involving their cloud-native applications within the last 12 months.
- 41% of app development respondents and 45% of DevOps respondents indicated that developers often skip established security processes, while 55% of application developers in the survey had indicated that security teams lacked visibility into development processes.
- 68% of respondents indicated that they were prioritizing adopting developer-focused security solutions and shifting some security responsibilities to developers, although more developers (45%) were currently responsible for application security testing than security teams (40%). These developers were twice as likely to use internally developed or open source security tools than specialized third-party vendor solutions.
- 36% of security teams survey indicated they were comfortable with development teams taking responsibility for testing. Concerns such as overburdening development teams with additional tooling and responsibilities; disrupting innovation and velocity; and obtaining oversight around security efforts remained their cited obstacles to developer-led application security efforts.
According to Jason Schmitt, General Manager, Synopsys Cybersecurity Research Center, which commissioned the survey: “While managing open source risk is a critical component of managing software supply chain risk in cloud-native applications, we must also recognize that the risk extends beyond open source components. Infrastructure-as-code, containers, APIs, code repositories—(all) must be accounted for, to ensure a holistic approach to software supply chain security.”