Software supply chain security by the numbers: 30 stats that matter
Compromises including Log4J, SolarWinds’ Orion network management technology, and Progress Software’s MoveIT file transfer software have heightened focus on software supply chain security in recent years.
The rapidly growing attack surface stemming from the adoption of cloud computing, software-as-a-service models, containers, microservices architectures and AI-enabled threats are all driving forces for concern.
Here are 30 stats that put the state of software supply chain security into perspective — and contain key takeaways for development and application security (AppSec) teams.
[ Key takeaways: The State of Software Supply Chain Security 2024 | Read and share the full report ]
Scope of the problem: Tools and teams
80%: Applications that contain at least one security vulnerability
Among the most common are vulnerabilities related to outdated components, security logging and monitoring failures, injection flaws, broken access controls and cryptographic failures.
Source: State of Software Security 2024, Veracode
42%: Apps with flaws left unaddressed for more than a year
Application security debt—or flaws that persist without any mitigation for over a year—are a growing problem. More than 7-in-10 organizations (71%) are burdened with significant security debt.
Source: State of Software Security 2024, Veracode
71%: Pros who perceive their software attack surface as unmanageable
Chief information security officers in particular feel this way, with four out of five viewing their applications as hard to protect. Just over six-in-10 (61%) of DevSecOps directors feel this way about their attack surface.
Source: The State of ASPM 2024, Cycode
95%: Teams using 20 or more tools to manage application security
Tool sprawl has become a real problem for application security professionals. IT and security leaders at organizations that have deployed multiple tools to protect their applications now say that managing those tools across their developer and security teams has become a major challenge.
Source: The State of ASPM 2024, Cycode
Software Supply Chain Security
72%: Pros who said software supply chain security was their biggest blind spot
More than seven-in-10 security professionals are concerned about a lack of visibility into the development and supply chain pipelines as heightening breach risks.
Source: The State of ASPM 2024, Cycode
60%: Organizations demanding software bill of materials (SBOM) by 2026
The rise of supply chain attacks and compliance requirements tied to directives like the White House’s 2021 Executive Order on Improving the Nation’s Cybersecurity (EO 14028) will make SBOMs a core component of application security. Gartner says that six in 10 companies will require such disclosure in their license and support agreements.
Source: Mitigate Enterprise Software Supply Chain Risk, Gartner
1300%: The increase in threats via OSS package repositories
Researchers discovered more than 7,000 malicious packages on PyPI alone in 2023, an increase of 400% over the prior year. Most of the malicious packages found on PyPI and npm were information stealers.
Source: The State of Software Supply Chain Security 2024, ReversingLabs
11,000: Malicious packages discovered on npm, PyPI and RubyGems
The number, from 2023, represented a 28% increase over the 8,700 malware-laden packages that researchers detected across these three repositories in 2022.
Source: The State of Software Supply Chain Security 2024, ReversingLabs
70%: Applications that have flaws in third-party code
The datapoint (70.2% exactly) highlights the need for organizations to do continuous security testing of both in-house and third-party code throughout the software development lifecycle. About 60% of apps have vulnerabilities in first-party code.
Source: State of Software Security 2024, Veracode
96%: Applications with OSS vulnerabilities that are completely avoidable
Suboptimal consumption behaviors caused organizations to download 2.1 billion open source software (OSS) components with known vulnerabilities in them in 2023, when a better, fixed version of each of those components was available.
Source: State of the Software Supply Chain Report, Sonatype
11%: Open source projects that were actively maintained in 2023
Very few open-source projects have active oversight. An analysis of over 1.7 million open source projects across four major public repositories showed a year-over-year decline of 18% in the number of actively maintained projects—heightening security risks for organizations using these ecosystems.
Source: State of the Software Supply Chain Report, Sonatype
84%: Codebases that contained at least one open source vulnerability
A study of 1,000 codebases across 17 industries describes the near ubiquitous prevalence of open-source code on modern applications — 96% of codebases contain open source code — which has heightened security risks for organizations.
Source: 2024 Open Source Security and Risk Analysis Report, Synopsys
DevSecOps
31%: Firms that use an AppSec maturity model and track security tools usage
The adoption of application security practices across teams appears to be slowly maturing at a substantial percentage of organizations. But 58% need to do a lot of work to even get to baseline security levels.
Source: 2023 State of Application Security, ArmorCode
66%: Stakeholders who say speed takes precedence over security
The unrelenting pressure to release software quickly is one reason for mounting security debt at many organizations. Fifty-six percent of DevSecOps and AppSec teams currently have at least some unmanaged in their software stack.
Source: 2023 State of Application Security, ArmorCode
80%: Teams that have had critical security issues delaying their DevOps
Almost all organizations that develop software — 91% — have adopted at least some DevSecOps practices, but many developers, AppSec professionals, DevOps engineers — and CISOs — struggle with implementation and compliance challenges.
Source: Global State of DevSecOps 2023, Synopsys
52%: Organizations using AI-enabled tools to enhance their AppSec posture
Despite more than half of DevSecOps teams having begun adopting AI, nearly three-quarters of them (74%) are either very, or somewhat concerned about potential weaknesses in their AI-powered security products.
Source: Global State of DevSecOps 2023, Synopsys
91%: Development organizations that release software with vulnerabilities
The constant pressure to release new applications and features is causing developers to release software applications with known security issues. CISOs say that one-third release vulnerable code hoping that no one will discover the flaws.
Source: Future of Application Security 2024, Checkmarx
71%: Organizations releasing software updates at least once a week
Despite the faster cadence of application updates these days, most organizations rely heavily on manual processes to catalog and inventory their applications and microservices. The result is that many organizations don’t have accurate and up-to-date information about their applications.
Source: 2024 State of Application Security Report, CrowdStrike
54%: Major code changes that goes through a formal security review process
About one-in-five (22%) organizations review code changes once a quarter or less, and organizations don’t review code changes because of how long it takes. Eighty-one percent, for instance, take more than one full business day to review a major code change – and 35% require more than three business days.
Source: 2024 State of Application Security Report, CrowdStrike
40%: Organizations using software composition analysis (SCA) for security
Application security teams at many organizations continue to rely heavily on traditional vulnerability management tools to their detriment as the threat landscape has evolved considerably in recent years. The survey found that additionally during the application development lifecycle, 42% use DAST and 54% use SAST.
Source: Software Supply Chain Security Risk Report, ReversingLabs
74%: Pros who say legacy AST tools leave them exposed to supply chain risks
Traditional application security tools (AST) that target known vulnerabilities in open-source components are no longer sufficient because organizations increasingly require capabilities for testing all software types — and the entire software development lifecycle.
Source: Software Supply Chain Security Risk Report, ReversingLabs
Cloud and SaaS
67%: Percentage of enterprise applications in the cloud
With more than two-thirds of applications at most organizations now running in the cloud, concerns are rising among CISOs and other security leaders about issues like identity and access management, data governance and software supply chain risks.
Source: Future of Application Security 2024, Checkmarx
81%: Organizations that see security as their biggest cloud-related challenge
Concerns over the safety of applications and data in cloud environments remain high. But for the second year in a row, concerns over how to manage cloud spending topped security as the biggest cloud related challenge across 621 organizations.
Source: 2024 State of the Cloud Report, Flexera
73%: Teams concerned about data breaches from cloud-hosted apps
Nearly three quarters of respondents in a survey of 500 stakeholders say major concerns over cloud file upload services included reputational damage, loss in business or revenue, denial of service and ransomware.
Source: The State of Web Application Security 2023, Opswat
55%: Companies that experienced incidents in their SaaS
The number of companies affected by incidents in their Security as a Service (SaaS) environments in the last two years represents a sharp increase of 12% from just one year ago. The most common incidents included data leakage, malicious apps, data breaches and SaaS ransomware. Another 12% are unsure if they experienced a security incident or not.
Source: The Annual SaaS Security Survey Report 2024, Adaptive Shield
58%: Companies using SaaS tools that cover 50% or less of their software
The percentage of organizations using SaaS tools that do not provide complete coverage is alarming. Organizations are at heightened data breach and data loss risk because they don’t monitor their SaaS environments sufficiently.
Source: The Annual SaaS Security Survey Report 2024, Adaptive Shield
Artificial Intelligence (AI) and Machine Learning (ML)
255: The number of secrets leaks linked to the OpenAI platform on PyPI
The rapid adoption of large language model-based generative AI tools such as ChatGPT has led to more secrets being exposed on public repositories, which is heightening risks for organizations using these tools. On npm, the number of secrets leaks associated with OpenAI was 247.
Source: The State of Software Supply Chain Security 2024, ReversingLabs
96%: Engineering teams using AI assistants during the development process
Almost all organizations that develop software have begun using AI-based code completion and code generation tools such as GitHub Copilot and Amazon CodeWhisperer when developing software. The goal is to speed up the pace of code development and deployment, but they are introducing greater risk.
Source: 2023 AI-Generated Code Security Report, Snyk
56.4%: Engineers and leaders who say AI coding assistants introduce security problems
Many development teams continue to place complete trust in the security of AI-generated code. However, few organizations using these tools have changed their processes to improve AI security.
Source: 2023 AI-Generated Code Security Report, Snyk
79.9%: Dev teams that ignore or bypass policies governing AI coding assistants
More than half of developers use AI coding tools either all the time or most of the time, and many others use them to varying lesser degrees, all in violation of their organization’s policies. Only 10% scan their code for potential vulnerabilities after such use.
Source: 2023 AI-Generated Code Security Report, Snyk
*** This is a Security Bloggers Network syndicated blog from ReversingLabs Blog authored by Jai Vijayan. Read the original post at: https://www.reversinglabs.com/blog/software-supply-chain-security-by-the-numbers-30-key-stats-that-matter