Fewer than 40% of firms have full visibility over software supply

New research has revealed that fewer than 40% of organisations have full visibility into their software supply chains despite recent high-profile incidents and increasing regulatory scrutiny.

Cloudsmith, a software supply chain management firm, conducted the study, which found that only 36% of organisations report having complete observability over their software supply chain using their current artifact management solutions. This limited insight persists, even as vulnerabilities in software supply chains have been exposed by incidents involving XZ Utils, Log4j, and the tj-actions/changed-files security events.

The research arrives amid enhanced regulatory pressures, such as the EU Cyber Resilience Act and the Cybersecurity and Infrastructure Security Agency's (CISA) updated 2024 guidelines, which are pushing companies towards increased oversight and security controls.

Open-source software plays a significant role in modern development, comprising roughly 90% of contemporary codebases. However, the widespread adoption of open-source components has created additional security challenges, as the introduction of insecure packages can lead to exploitable vulnerabilities in software products.

The report highlighted that 61% of surveyed software development professionals consider security features a priority within their development workflows. Still, a considerable proportion—46%—describe their software delivery pipelines as lacking or having only partial automation. Many organisations also report process inefficiencies and little to no use of a centralised artifact repository, which adds to the challenge of maintaining effective security.

Nigel Douglas, Developer Relations Lead at Cloudsmith, commented on the findings: "There's a clear disconnect between security goals and real-world implementation. Since open-source code is the backbone of today's software supply chains, any weakness in dependencies or artifacts can create widespread risk. To effectively reduce these risks, security measures need to be built into the core of artifact management processes, ensuring constant and proactive protection."

The study found that, with their current tools and methods, many organisations find it difficult to reconcile the demand for rapid software delivery with the need to address security vulnerabilities. More than half of respondents—56%—identified 'Improved Security' as a primary motivation for adopting new artifact management tools.

One respondent described a security incident with tangible impacts, stating, "A vendor solution was compromised, leading to significant downtime and operational losses." Another respondent highlighted ongoing security concerns, saying, "Security risks remain a critical challenge as we strive for faster deployments," underscoring the practical difficulties enterprises face as they seek to increase both speed and security.

Alan Carson, Cloudsmith's Chief Security Officer and co-founder, said, "Without visibility, you can't control your software supply chain. And without control, there's no security. When we speak to enterprises, security is high up on their list of most urgent priorities. But security doesn't have to come at the cost of speed. They may have dozens of developer teams all building different software for different purposes using different methods. DevOps leaders are crying out for a single plane to bring that together and simplify management, making security a default layer, rather than an extra obligation."

The research was conducted among 307 DevOps professionals in the US and UK, including DevOps engineers, security managers, release managers, development managers, and CTOs. The results illustrate a growing demand for improved security in software development processes as the use of open-source software continues to rise and regulatory requirements become more stringent.