Get results of and analysis on ESG's new survey on supply chain security.
New research reveals that, despite increasing attacks and incidents against software supply chains, a surprising number of firms believe their defense is sufficient. This gap could lead security and IT leaders to underestimate their vulnerabilities and overestimate their preparedness.
TechTarget’s Enterprise Strategy Group surveyed 368 IT, cybersecurity, and application development professionals in North America to understand the current use and future expectations of third-party and open-source software. The research aimed to investigate the security challenges they pose, and evaluate the impact of software supply chain attacks. It also looked at the effectiveness of existing security solutions, how well these solutions work with other security tools, and identified the main decision-makers in purchasing software supply chain security solutions.
The resulting study, titled "The Growing Complexity of Securing the Software Supply Chain," finds that 91 percent of organizations have experienced software supply chain security incidents within the last year, making it clear that software supply chains present a serious risk for organizations.
But despite these alarming numbers, there appears to be a strong perception of security adequacy among organizations. The results find that nearly 75 percent of survey participants think they possess robust software supply chain security programs and are equipped with appropriate processes and controls. This confidence exists even in the face of increasing incidents and their severe impacts, which seems to present a clear paradox in perceived preparedness and defense readiness versus actual security effectiveness.
What’s causing this disconnect? It could be that respondents are unwilling to disclose the true state of their security controls, or are unsure. Another possibility is confusion over exactly what “software supply chain” entails. The survey found that organizations are using a wide variety of tools to address software supply chain security, but some critical controls like configuration checks, secrets scanning, and dependency analysis are used less frequently.
The Challenge of Rapid Software Releases and the Sprawl of Secrets
Adding to the complexity and confusion is the pace of software development. While development teams strive to innovate and ship new products at a fast cadence, that very pace of innovation is brushing up against security in the software supply chain. The survey finds approximately 43 percent of companies are pushing out new builds to production multiple times per week, challenging their ability to maintain stringent security checks. This rapid release cycle can potentially expose organizations to greater risks if not managed with proactive and dynamic security measures.
Another significant concern highlighted in the study is the sprawl of secrets throughout development environments. About 64 percent of the surveyed participants found more than 50 secrets in their git repositories alone, not accounting for other areas in the development environment. This “secrets sprawl” adds layers of complexity and risk, increasing the vulnerability of software supply chains to attacks.
In fact, according to IBM's 2023 Data Breach Report, secret leak risks are the second most common initial attack vector.
Why are so many secrets remaining exposed? Partly because they are abundant and easy to overlook. Modern apps require hundreds of secrets to function (API keys, third parties, cloud credentials, etc.). For example, a developer may test a piece of code with a key. When it works, they move it into production without removing that key. They either forget, or the key works and they don’t want to adjust it.
A Wake Up Call to Software Supply Chain Realities
The study illuminates the stark contrast between the high confidence many organizations have in their security measures and the frequent, serious incidents they actually face.
As the pace of software development accelerates and the sprawl of secrets extends, IT and security leaders need to reconsider their current security frameworks and reevaluate their security posture in the face of ever-evolving threats to their software supply chains.
We at Legit argue that organizations should reframe “software supply chain security” as “software factory security.” This mindset highlights all the risky links in the chain, from assets to pathways and pipelines – not just the third-party links. For example, misconfigured build servers is a common problem that creates significant vulnerabilities. Build systems are essentially automated, implicitly trusted pathways straight to the cloud, yet most aren’t treated as critical from a security perspective. In many cases, these systems — like Jenkins, for example — are misconfigured or otherwise vulnerable and unpatched.
Achieving this broader security coverage starts with gaining accurate visibility into your development pipelines, and creating a comprehensive SDLC asset inventory in collaboration with development teams.
Get full survey results and analysis in the ESG eBook "The Growing Complexity of Securing the Software Supply Chain."
