Organizations Strengthen Software Supply Chain Security, But Strategies Remain Fragmented
This audio is generated automatically. Please let us know if you have any comments.
Diving Brief:
- According to research by Enterprise Strategy Group on behalf of Synopsis.
- Investments range from multi-factor authentication to application security testing and improving asset discovery. However, despite these efforts, more than a third of organizations have been exploited due to a known open-source software vulnerability in the past 12 months and 28% have been impacted by a zero-day exploit, according to the report.
- The biggest concern for more than half of all survey respondents is the high percentage of application code based on open source software. The study is based on a survey of 350 decision makers working in IT and cybersecurity as well as application developers.
Overview of the dive:
There is an urgent and ongoing debate about the security of software supply chains and the developer community’s heavy reliance on open source software.
The industry is beginning to adopt a consensus that security must become a much higher priority during the development phase. By the time there is an actual attack or widespread vulnerability, it may be too late for many organizations to quickly find and fix the remaining damage to their systems.
Research reveals that managing open source is a priority for many organizations, according to Tim Mackey, senior security strategist at Synopsys Cybersecurity Research Center.
“That includes managing vulnerabilities and being the victim of an attack, but also interesting is the fear of having too much open source in their application stack,” Mackey said per e -mail.
There is a growing body of research looking at the security implications of using open source. In June, a study of Linux and Snyk Foundation reported that 40% of organizations do not have a high level of confidence in open source security.
In July, a federal government research Cyber Security Review Board showed that the impact of the Log4j vulnerability would last long into the future, calling it an “endemic vulnerability”.
But management responses to growing security risks to the software supply chain are still in their infancy, according to research by Gartner. Responses are either absent or fragmentary.
