SBN

Software supply chain security by the numbers: 30 stats that matter

30-software-supply-chain-security-stats-that-matterCompromises including Log4J, SolarWinds’ Orion network management technology, and Progress Software’s MoveIT file transfer software have heightened focus on software supply chain security in recent years.

The rapidly growing attack surface stemming from the adoption of cloud computing, software-as-a-service models, containers, microservices architectures and AI-enabled threats are all driving forces for concern.

Here are 30 stats that put the state of software supply chain security into perspective — and contain key takeaways for development and application security (AppSec) teams.

 [ Key takeaways: The State of Software Supply Chain Security 2024 | Read and share the full report ]

Scope of the problem: Tools and teams

80%: Applications that contain at least one security vulnerability

Among the most common are vulnerabilities related to outdated components, security logging and monitoring failures, injection flaws, broken access controls and cryptographic failures.

Source: State of Software Security 2024, Veracode

42%: Apps with flaws left unaddressed for more than a year

Application security debt—or flaws that persist without any mitigation for over a year—are a growing problem. More than 7-in-10 organizations (71%) are burdened with significant security debt.

Source: State of Software Security 2024, Veracode

71%: Pros who perceive their software attack surface as unmanageable

Chief information security officers in particular feel this way, with four out of five viewing their applications as hard to protect. Just over six-in-10 (61%) of DevSecOps directors feel this way about their attack surface.

Source: The State of ASPM 2024, Cycode

95%: Teams using 20 or more tools to manage application security

Tool sprawl has become a real problem for application security professionals. IT and security leaders at organizations that have deployed multiple tools to protect their applications now say that managing those tools across their developer and security teams has become a major challenge.

Source: The State of ASPM 2024, Cycode

Software Supply Chain Security 

72%: Pros who said software supply chain security was their biggest blind spot 

More than seven-in-10 security professionals are concerned about a lack of visibility into the development and supply chain pipelines as heightening breach risks.

Source: The State of ASPM 2024, Cycode 

60%: Organizations demanding software bill of materials (SBOM) by 2026

The rise of supply chain attacks and compliance requirements tied to directives like the White House’s 2021 Executive Order on Improving the Nation’s Cybersecurity (EO 14028) will make SBOMs a core component of application security. Gartner says that six in 10 companies will require such disclosure in their license and support agreements.

Source: Mitigate Enterprise Software Supply Chain Risk, Gartner

1300%: The increase in threats via OSS package repositories 

Researchers discovered more than 7,000 malicious packages on PyPI alone in 2023, an increase of 400% over the prior year. Most of the malicious packages found on PyPI and npm were information stealers.

Source: The State of Software Supply Chain Security 2024, ReversingLabs

11,000: Malicious packages discovered on npm, PyPI and RubyGems

The number, from 2023, represented a 28% increase over the 8,700 malware-laden packages that researchers detected across these three repositories in 2022.

Source: The State of Software Supply Chain Security 2024, ReversingLabs

70%: Applications that have flaws in third-party code

The datapoint (70.2% exactly) highlights the need for organizations to do continuous security testing of both in-house and third-party code throughout the software development lifecycle. About 60% of apps have vulnerabilities in first-party code.

Source: State of Software Security 2024, Veracode

96%: Applications with OSS vulnerabilities that are completely avoidable

Suboptimal consumption behaviors caused organizations to download 2.1 billion open source software (OSS) components with known vulnerabilities in them in 2023, when a better, fixed version of each of those components was available.

Source: State of the Software Supply Chain Report, Sonatype

11%: Open source projects that were actively maintained in 2023

Very few open-source projects have active oversight. An analysis of over 1.7 million open source projects across four major public repositories showed a year-over-year decline of 18% in the number of actively maintained projects—heightening security risks for organizations using these ecosystems. 

Source: State of the Software Supply Chain Report, Sonatype

84%: Codebases that contained at least one open source vulnerability

A study of 1,000 codebases across 17 industries describes the near ubiquitous prevalence of open-source code on modern applications — 96% of codebases contain open source code — which has heightened security risks for organizations.

Source: 2024 Open Source Security and Risk Analysis Report, Synopsys 

DevSecOps

31%: Firms that use an AppSec maturity model and track security tools usage

The adoption of application security practices across teams appears to be slowly maturing at a substantial percentage of organizations. But 58% need to do a lot of work to even get to baseline security levels.

Source: 2023 State of Application Security, ArmorCode

66%: Stakeholders who say speed takes precedence over security

The unrelenting pressure to release software quickly is one reason for mounting security debt at many organizations. Fifty-six percent of DevSecOps and AppSec teams currently have at least some unmanaged in their software stack.

Source: 2023 State of Application Security, ArmorCode

80%: Teams that have had critical security issues delaying their DevOps

Almost all organizations that develop software — 91% — have adopted at least some DevSecOps practices, but many developers, AppSec professionals, DevOps engineers — and CISOs — struggle with implementation and compliance challenges. 

Source: Global State of DevSecOps 2023, Synopsys

52%: Organizations using AI-enabled tools to enhance their AppSec posture

Despite more than half of DevSecOps teams having begun adopting AI, nearly three-quarters of them (74%) are either very, or somewhat concerned about potential weaknesses in their AI-powered security products.

Source: Global State of DevSecOps 2023, Synopsys

91%: Development organizations that release software with vulnerabilities

The constant pressure to release new applications and features is causing developers to release software applications with known security issues. CISOs say that one-third release vulnerable code hoping that no one will discover the flaws.

Source: Future of Application Security 2024, Checkmarx

71%: Organizations releasing software updates at least once a week

Despite the faster cadence of application updates these days, most organizations rely heavily on manual processes to catalog and inventory their applications and microservices. The result is that many organizations don’t have accurate and up-to-date information about their applications.

Source: 2024 State of Application Security Report, CrowdStrike

54%: Major code changes that goes through a formal security review process

About one-in-five (22%) organizations review code changes once a quarter or less, and organizations don’t review code changes because of how long it takes. Eighty-one percent, for instance, take more than one full business day to review a major code change – and 35% require more than three business days. 

Source: 2024 State of Application Security Report, CrowdStrike 

40%: Organizations using software composition analysis (SCA) for security

Application security teams at many organizations continue to rely heavily on traditional vulnerability management tools to their detriment as the threat landscape has evolved considerably in recent years. The survey found that additionally during the application development lifecycle, 42% use DAST and 54% use SAST.

Source: Software Supply Chain Security Risk Report, ReversingLabs

74%: Pros who say legacy AST tools leave them exposed to supply chain risks

Traditional application security tools (AST) that target known vulnerabilities in open-source components are no longer sufficient because organizations increasingly require capabilities for testing all software types — and the entire software development lifecycle. 

Source: Software Supply Chain Security Risk Report, ReversingLabs 

Cloud and SaaS

67%: Percentage of enterprise applications in the cloud

With more than two-thirds of applications at most organizations now running in the cloud, concerns are rising among CISOs and other security leaders about issues like identity and access management, data governance and software supply chain risks.

Source: Future of Application Security 2024, Checkmarx

81%: Organizations that see security as their biggest cloud-related challenge

Concerns over the safety of applications and data in cloud environments remain high. But for the second year in a row, concerns over how to manage cloud spending topped security as the biggest cloud related challenge across 621 organizations.

Source: 2024 State of the Cloud Report, Flexera

73%: Teams concerned about data breaches from cloud-hosted apps

Nearly three quarters of respondents in a survey of 500 stakeholders say major concerns over cloud file upload services included reputational damage, loss in business or revenue, denial of service and ransomware.

Source: The State of Web Application Security 2023, Opswat

55%: Companies that experienced incidents in their SaaS

The number of companies affected by incidents in their Security as a Service (SaaS) environments in the last two years represents a sharp increase of 12% from just one year ago. The most common incidents included data leakage, malicious apps, data breaches and SaaS ransomware. Another 12% are unsure if they experienced a security incident or not.

Source: The Annual SaaS Security Survey Report 2024, Adaptive Shield

58%: Companies using SaaS tools that cover 50% or less of their software

The percentage of organizations using SaaS tools that do not provide complete coverage is alarming. Organizations are at heightened data breach and data loss risk because they don’t monitor their SaaS environments sufficiently. 

Source: The Annual SaaS Security Survey Report 2024, Adaptive Shield

Artificial Intelligence (AI) and Machine Learning (ML)

255: The number of secrets leaks linked to the OpenAI platform on PyPI

The rapid adoption of large language model-based generative AI tools such as ChatGPT has led to more secrets being exposed on public repositories, which is heightening risks for organizations using these tools. On npm, the number of secrets leaks associated with OpenAI was 247.

Source: The State of Software Supply Chain Security 2024, ReversingLabs

96%: Engineering teams using AI assistants during the development process

Almost all organizations that develop software have begun using AI-based code completion and code generation tools such as GitHub Copilot and Amazon CodeWhisperer when developing software. The goal is to speed up the pace of code development and deployment, but they are introducing greater risk.

Source: 2023 AI-Generated Code Security Report, Snyk 

56.4%: Engineers and leaders who say AI coding assistants introduce security problems

Many development teams continue to place complete trust in the security of AI-generated code. However, few organizations using these tools have changed their processes to improve AI security.

Source: 2023 AI-Generated Code Security Report, Snyk

79.9%: Dev teams that ignore or bypass policies governing AI coding assistants

More than half of developers use AI coding tools either all the time or most of the time, and many others use them to varying lesser degrees, all in violation of their organization’s policies. Only 10% scan their code for potential vulnerabilities after such use.

Source: 2023 AI-Generated Code Security Report, Snyk

*** This is a Security Bloggers Network syndicated blog from ReversingLabs Blog authored by Jai Vijayan. Read the original post at: https://www.reversinglabs.com/blog/software-supply-chain-security-by-the-numbers-30-key-stats-that-matter

Jai Vijayan

Vijayan is an independent journalist and tech content creation specialist who has been covering the technology industry for more than 20 years. He writes for several publications mainly on data security and privacy. He was most recently a senior editor at Computerworld.

jai-vijayan has 34 posts and counting.See all posts by jai-vijayan