Computer programmer writing program code showing software supply chain security for open source software

Organizations Intensify Software Supply Chain Security Efforts Against Risks Posed by Open Source Prevalence

Software supply chain security is a major concern for most organizations worried about the prevalence of open source code in their products, a Synopsys and ESG report found.

Subsequently, most organizations intensified their supply chain security efforts in the light of high-profile supply chain attacks such as SolarWinds, Kaseya, and Log4Shell.

The Synopsys Software Integrity Group and Enterprise Strategy Group (ESG) found that 99% of organizations were using (80%) or planning (19%) to incorporate open source software (OSS) in the next 12 months. However, more than half (54%) of the respondents were concerned about the prevalence of open source software, while 41% worried about becoming victims of hackers targeting popular open source software. Another 40% had problems trusting the open source code origin, while 39% worried about the software bills of material (SBOM) in OSS.

According to Jason Schmitt, general manager at Synopsys, these and other concerns highlight the potential impact of software supply chain vulnerabilities on organizations posed by open source software.

Most organizations are prepared to address software supply chain security risks

The Synopsys/ESG report found that nearly three-quarters (73%) of organizations had adopted measures to secure their supply chains.

Key software supply chain security measures adopted by most organizations include:

  • Strong authentication such as multifactor authentication (33%)
  • Executive visibility into secure development practices (33%)
  • Application security testing controls (32%)
  • Assessment of current security controls (30%)
  • Improved asset discovery (30%)
  • Scanning software updates (30%)
  • New detection rules and/or security analytics systems (29%)
  • Audits of software supply vendors (29%)
  • Regular composition analysis (26%)
  • Penetration testing/red teaming (26%)

According to Melinda Marks, ESG Senior Analyst, organizations seek to understand their OSS components and quickly respond to vulnerabilities.

Organizations prioritize developer-centric approaches to securing the software supply chain

The report stated that organizations were “shifting left” by incorporating security practices in early software development cycles to address software supply chain security risks. This “shift left” approach meant that developers played a critical role in supply chain risk management. According to two-thirds (68%) of respondents, this strategy was a priority for their organizations.

Consequently, organizations incorporated security as a code (SaC) strategies, cybersecurity user stories in agile development, and GitOps to mitigate software supply chain security risks. The report found that 59% of organizations had incorporated SaC into developer workflows, while 72% believe it will be relevant in the next two years.

Similarly, 63% had adopted cybersecurity user stories in the agile software development process for cloud-native applications, and 55% GitOps to revert configurations.

According to the report, 31% of organizations had their secrets stolen via Git repositories. Subsequently, 85% of organizations scanned their repos for secrets, and many found them before they leaked to the world.

Challenges in the “shift-left” approach to software supply chain security

While the developer-centric approach to securing the supply chain provided an opportunity to address cybersecurity staff shortages, most organizations faced insurmountable challenges.

According to the report, 56% of respondents said their organizations lacked enough analysts to implement security-as-code, while 51% said SaC was not mature enough to incorporate into their cybersecurity strategy.

Additionally, organizations had trouble keeping up with the speed and volumes of releases. This situation led to software releases without security checks or testing, according to 45% of the respondents.

Similarly, security teams lacked visibility in the development process (43%) and a lack of consistency among development teams (36%).

According to most security respondents, the “shifting left” approach wasn’t working, with only 34% saying that development teams were living up to their security expectations. Additionally, organizations anticipated more challenges in adopting the shift-left software supply chain security approach.

Forty-four percent of the respondents anticipated that the strategy would overburden developers with security responsibilities or tools, generate more work for security teams (43%), and developers were unqualified for security responsibilities (42%).

Open source software data breaches persist despite security efforts

Despite efforts to enhance software supply chain security, over a third (34%) of organizations suffered a breach related to open source software.

Additionally, more than a quarter (28%) suffered breaches from previously-unknown zero-day exploits from OSS, according to the Walking the Line: GitOps and Shift Left Security report.

“As organizations are witnessing the level of potential impact that a software supply chain security vulnerability or breach can have on their business through high-profile headlines, the prioritization of a proactive security strategy is now a foundational business imperative,” said Schmitt.

While the report indicated that most organizations were on track in addressing software supply chain security vulnerabilities posed by open source code, more effort is required to cover all bases.