Synopsys Inc. reveals today research that shows 73 percent of respondents say they have increased their efforts to secure their organizations’ software supply chain through a variety of security initiatives.
The data are based on a survey of 350 application development, information technology and cybersecurity decision-makers. Conducted by Enterprise Strategy Group (ESG) and commissioned in part by the Synopsys Software Integrity Group, the results highlighted within the “Walking the Line: GitOps and Shift Left Security: Scalable, Developer-centric Supply Chain Security Solutions” eBook shows software supply chain risk extends beyond open source.
Included among the initiatives companies are taking are the adoption of strong multifactor authentication technology (33 percent), investment in application security testing controls (32 percent), and improved asset discovery to update their organization’s attack surface inventory (30 percent).
Despite those efforts, 34 percent of organizations report their applications have been exploited due to a known vulnerability in open-source software (OSS) within the last 12 months, with 28 percent having suffered a previously unknown (“zero-day”) exploit found in open-source software.
As the scale of OSS usage increases, its presence in applications will increase naturally as well. Pressure to improve software supply chain risk management has placed a spotlight on software bills of materials (SBOMs). But exploding OSS usage and lackluster OSS management has made the compilation of SBOMs complex — as confirmed in the ESG research, which shows 39 percent of survey respondents marked this task as a challenge of using OSS.
“As organizations are witnessing the level of potential impact that a software supply chain security vulnerability or breach can have on their business through high-profile headlines, the prioritization of a proactive security strategy is now a foundational business imperative,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “While managing open-source risk is a critical component of managing software supply chain risk in cloud-native applications, we must also recognize that the risk extends beyond open-source components. Infrastructure-as-code, containers, APIs, code repositories — the list goes on and on and must all be accounted for to ensure a holistic approach to software supply chain security.”
While open source software may be the original supply chain concern, the shift toward cloud-native application development has organizations concerned about the risks posed to additional nodes of their supply chain. This includes aspects of source code and how cloud-native applications are stored, packaged, deployed, as well as how they interface with one another through application programming interfaces (APIs).
Nearly half (45 percent) of the respondents identified APIs as the vector most susceptible to attack, along with data storage repositories (42 percent) and application container images (34 percent).
Nearly all (99 percent) respondents said their organizations either use or plan to use, OSS within the next 12 months. While concerns exist with the maintenance, security, and trustworthiness of these open-source projects, the top concern relates to the scale at which open source is being leveraged within application development. Fifty-four percent of organizations list “having a high percentage of application code that is open source” as their primary concern.
Survey findings also suggest that although developer-focused security and “shifting left” — a concept focused on enabling developers to conduct security testing earlier in the development lifecycle — are growing among organizations building cloud-native applications, 97 percent of organizations have experienced a security incident involving their cloud-native applications within the last 12 months.
Faster release cycles are presenting security challenges. Application development (41 percent) and DevOps (45 percent) teams agree that developers often skip established security processes, while a majority of application developers (55 percent) agrees that security teams lack visibility into development processes.
Sixty-eight percent of respondents indicated they are prioritizing adopting developer-focused security solutions and shifting some security responsibilities to developers, although more developers (45 percent) are responsible for application security testing than security teams (40 percent). These developers are twice as likely to use internally developed or open-source security tools than specialized third-party vendor solutions.
At the same time, developers are playing a bigger role in securing the software supply chain of cloud-native applications, yet only 36 percent of security teams reported being comfortable with development teams taking responsibility for testing. Concerns such as overburdening development teams with additional tooling and responsibilities, disrupting innovation and velocity, and obtaining oversight around security efforts remain the biggest obstacles to developer-led application security efforts.
Those interested in learning more about the research can download a complimentary copy of the
Attendees of the Black Hat USA conference are welcome to visit Synnopsys at booth #1560 in the expo hall at the Mandalay Bay in Las Vegas through Thursday to discuss the findings in more depth. A free copy of “Walking the Line: GitOps and Shift Left Security: Scalable, Developer-centric Supply Chain Security Solutions” eBook is available.
To learn more about how Synopsys Software Integrity Group visit: www.synopsys.com/software-integrity.html