Compromises including Log4J, SolarWinds’ Orion network management technology, and Progress Software’s MoveIT file transfer software have heightened focus on software supply chain security in recent years.
The rapidly growing attack surface stemming from the adoption of cloud computing, software-as-a-service models, containers, microservices architectures and AI-enabled threats are all driving forces for concern.
Here are 30 stats that put the state of software supply chain security into perspective — and contain key takeaways for development and application security (AppSec) teams.
[ Key takeaways: The State of Software Supply Chain Security 2024 | Read and share the full report ]
Among the most common are vulnerabilities related to outdated components, security logging and monitoring failures, injection flaws, broken access controls and cryptographic failures.
Source: State of Software Security 2024, Veracode
Application security debt—or flaws that persist without any mitigation for over a year—are a growing problem. More than 7-in-10 organizations (71%) are burdened with significant security debt.
Source: State of Software Security 2024, Veracode
Chief information security officers in particular feel this way, with four out of five viewing their applications as hard to protect. Just over six-in-10 (61%) of DevSecOps directors feel this way about their attack surface.
Source: The State of ASPM 2024, Cycode
Tool sprawl has become a real problem for application security professionals. IT and security leaders at organizations that have deployed multiple tools to protect their applications now say that managing those tools across their developer and security teams has become a major challenge.
Source: The State of ASPM 2024, Cycode
More than seven-in-10 security professionals are concerned about a lack of visibility into the development and supply chain pipelines as heightening breach risks.
Source: The State of ASPM 2024, Cycode
The rise of supply chain attacks and compliance requirements tied to directives like the White House’s 2021 Executive Order on Improving the Nation’s Cybersecurity (EO 14028) will make SBOMs a core component of application security. Gartner says that six in 10 companies will require such disclosure in their license and support agreements.
Source: Mitigate Enterprise Software Supply Chain Risk, Gartner
Researchers discovered more than 7,000 malicious packages on PyPI alone in 2023, an increase of 400% over the prior year. Most of the malicious packages found on PyPI and npm were information stealers.
Source: The State of Software Supply Chain Security 2024, ReversingLabs
The number, from 2023, represented a 28% increase over the 8,700 malware-laden packages that researchers detected across these three repositories in 2022.
Source: The State of Software Supply Chain Security 2024, ReversingLabs
The datapoint (70.2% exactly) highlights the need for organizations to do continuous security testing of both in-house and third-party code throughout the software development lifecycle. About 60% of apps have vulnerabilities in first-party code.
Source: State of Software Security 2024, Veracode
Suboptimal consumption behaviors caused organizations to download 2.1 billion open source software (OSS) components with known vulnerabilities in them in 2023, when a better, fixed version of each of those components was available.
Source: State of the Software Supply Chain Report, Sonatype
Very few open-source projects have active oversight. An analysis of over 1.7 million open source projects across four major public repositories showed a year-over-year decline of 18% in the number of actively maintained projects—heightening security risks for organizations using these ecosystems.
Source: State of the Software Supply Chain Report, Sonatype
A study of 1,000 codebases across 17 industries describes the near ubiquitous prevalence of open-source code on modern applications — 96% of codebases contain open source code — which has heightened security risks for organizations.
Source: 2024 Open Source Security and Risk Analysis Report, Synopsys
The adoption of application security practices across teams appears to be slowly maturing at a substantial percentage of organizations. But 58% need to do a lot of work to even get to baseline security levels.
Source: 2023 State of Application Security, ArmorCode
The unrelenting pressure to release software quickly is one reason for mounting security debt at many organizations. Fifty-six percent of DevSecOps and AppSec teams currently have at least some unmanaged in their software stack.
Source: 2023 State of Application Security, ArmorCode
Almost all organizations that develop software — 91% — have adopted at least some DevSecOps practices, but many developers, AppSec professionals, DevOps engineers — and CISOs — struggle with implementation and compliance challenges.
Source: Global State of DevSecOps 2023, Synopsys
Despite more than half of DevSecOps teams having begun adopting AI, nearly three-quarters of them (74%) are either very, or somewhat concerned about potential weaknesses in their AI-powered security products.
Source: Global State of DevSecOps 2023, Synopsys
The constant pressure to release new applications and features is causing developers to release software applications with known security issues. CISOs say that one-third release vulnerable code hoping that no one will discover the flaws.
Source: Future of Application Security 2024, Checkmarx
Despite the faster cadence of application updates these days, most organizations rely heavily on manual processes to catalog and inventory their applications and microservices. The result is that many organizations don’t have accurate and up-to-date information about their applications.
Source: 2024 State of Application Security Report, CrowdStrike
About one-in-five (22%) organizations review code changes once a quarter or less, and organizations don’t review code changes because of how long it takes. Eighty-one percent, for instance, take more than one full business day to review a major code change – and 35% require more than three business days.
Source: 2024 State of Application Security Report, CrowdStrike
Application security teams at many organizations continue to rely heavily on traditional vulnerability management tools to their detriment as the threat landscape has evolved considerably in recent years. The survey found that additionally during the application development lifecycle, 42% use DAST and 54% use SAST.
Source: Software Supply Chain Security Risk Report, ReversingLabs
Traditional application security tools (AST) that target known vulnerabilities in open-source components are no longer sufficient because organizations increasingly require capabilities for testing all software types — and the entire software development lifecycle.
Source: Software Supply Chain Security Risk Report, ReversingLabs
With more than two-thirds of applications at most organizations now running in the cloud, concerns are rising among CISOs and other security leaders about issues like identity and access management, data governance and software supply chain risks.
Source: Future of Application Security 2024, Checkmarx
Concerns over the safety of applications and data in cloud environments remain high. But for the second year in a row, concerns over how to manage cloud spending topped security as the biggest cloud related challenge across 621 organizations.
Source: 2024 State of the Cloud Report, Flexera
Nearly three quarters of respondents in a survey of 500 stakeholders say major concerns over cloud file upload services included reputational damage, loss in business or revenue, denial of service and ransomware.
Source: The State of Web Application Security 2023, Opswat
The number of companies affected by incidents in their Security as a Service (SaaS) environments in the last two years represents a sharp increase of 12% from just one year ago. The most common incidents included data leakage, malicious apps, data breaches and SaaS ransomware. Another 12% are unsure if they experienced a security incident or not.
Source: The Annual SaaS Security Survey Report 2024, Adaptive Shield
The percentage of organizations using SaaS tools that do not provide complete coverage is alarming. Organizations are at heightened data breach and data loss risk because they don’t monitor their SaaS environments sufficiently.
Source: The Annual SaaS Security Survey Report 2024, Adaptive Shield
255: The number of secrets leaks linked to the OpenAI platform on PyPI
The rapid adoption of large language model-based generative AI tools such as ChatGPT has led to more secrets being exposed on public repositories, which is heightening risks for organizations using these tools. On npm, the number of secrets leaks associated with OpenAI was 247.
Source: The State of Software Supply Chain Security 2024, ReversingLabs
Almost all organizations that develop software have begun using AI-based code completion and code generation tools such as GitHub Copilot and Amazon CodeWhisperer when developing software. The goal is to speed up the pace of code development and deployment, but they are introducing greater risk.
Source: 2023 AI-Generated Code Security Report, Snyk
Many development teams continue to place complete trust in the security of AI-generated code. However, few organizations using these tools have changed their processes to improve AI security.
Source: 2023 AI-Generated Code Security Report, Snyk
More than half of developers use AI coding tools either all the time or most of the time, and many others use them to varying lesser degrees, all in violation of their organization’s policies. Only 10% scan their code for potential vulnerabilities after such use.
Source: 2023 AI-Generated Code Security Report, Snyk
*** This is a Security Bloggers Network syndicated blog from ReversingLabs Blog authored by Jai Vijayan. Read the original post at: https://www.reversinglabs.com/blog/software-supply-chain-security-by-the-numbers-30-key-stats-that-matter