Get results of and analysis on ESG's new survey on supply chain security.
New research reveals that, despite increasing attacks and incidents against software supply chains, a surprising number of firms believe their defense is sufficient.
This gap could lead security and IT leaders to underestimate their vulnerabilities and overestimate their preparedness.
TechTarget's Enterprise Strategy Group surveyed 368 IT, cybersecurity, and application development professionals in North America to understand the current use and future expectations of third-party and open-source software.
The research aimed to investigate the security challenges they pose, and evaluate the impact of software supply chain attacks.
It also looked at the effectiveness of existing security solutions, how well these solutions work with other security tools, and identified the main decision-makers in purchasing software supply chain security solutions.
Despite these alarming numbers, there appears to be a strong perception of security adequacy among organizations.
The results find that nearly 75 percent of survey participants think they possess robust software supply chain security programs and are equipped with appropriate processes and controls.
This confidence exists even in the face of increasing incidents and their severe impacts, which seems to present a clear paradox in perceived preparedness and defense readiness versus actual security effectiveness.
The survey found that organizations are using a wide variety of tools to address software supply chain security, but some critical controls like configuration checks, secrets scanning, and dependency analysis are used less frequently.
Adding to the complexity and confusion is the pace of software development.
While development teams strive to innovate and ship new products at a fast cadence, that very pace of innovation is brushing up against security in the software supply chain.
The survey finds approximately 43 percent of companies are pushing out new builds to production multiple times per week, challenging their ability to maintain stringent security checks.
This rapid release cycle can potentially expose organizations to greater risks if not managed with proactive and dynamic security measures.
About 64 percent of the surveyed participants found more than 50 secrets in their git repositories alone, not accounting for other areas in the development environment.
The study illuminates the stark contrast between the high confidence many organizations have in their security measures and the frequent, serious incidents they actually face.
As the pace of software development accelerates and the sprawl of secrets extends, IT and security leaders need to reconsider their current security frameworks and reevaluate their security posture in the face of ever-evolving threats to their software supply chains.
Build systems are essentially automated, implicitly trusted pathways straight to the cloud, yet most aren't treated as critical from a security perspective.
Achieving this broader security coverage starts with gaining accurate visibility into your development pipelines, and creating a comprehensive SDLC asset inventory in collaboration with development teams.
This is a Security Bloggers Network syndicated blog from Legit Security Blog authored by Suzanne Ciccone.
This Cyber News was published on securityboulevard.com. Publication date: Sat, 18 May 2024 08:43:05 +0000