- Almost three-quarters of organizations have made significant enhancements to their software supply chain security, as a result of several high-profile incidents, including the SolarWinds nation-state attack and the Log4j vulnerability, according to a study by Enterprise Strategy Group on behalf of Synopsys.
- The investments range from multifactor authentication to application security testing and improved asset discovery. However, despite those efforts, more than one-third of organizations have been exploited due to a known open source software vulnerability in the last 12 months and 28% have been impacted by a zero-day exploit, according to the report.
- The biggest concern for more than half of all survey respondents is the high percentage of application code that is based on open source software. The study is based on a survey of 350 decision makers working in IT and cybersecurity as well as application developers.
There is an urgent and ongoing debate about the security of software supply chains and the heavy reliance of the developer community on open source software.
The industry is beginning to embrace a consensus that security needs to become far more of a priority during the development stage. By the time there is an actual attack or widespread vulnerability, it may be too late for many organizations to quickly find and remediate the damage remaining to their systems.
The research reveals that managing open source is top of mind for many organizations, according to Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center.
“This includes vulnerability management and falling victim to an attack, but interestingly also the fear of having too much open source within their application stack,” Mackey said via email.
More research is delving into the security implications of relying on open source. In June, a study by Linux Foundation and Snyk indicated 40% of organizations don’t have a great deal of confidence in open source security.
In July, research from the federal Cyber Safety Review Board showed the impact of the Log4j vulnerability would last well into the future, calling it an “endemic vulnerability.”
But management responses to the growing security risks to the software supply chain are still in their early stages, Gartner research found. Responses are either absent or fragmented.