A report published by Synopsys, the US-based code quality management vendor, indicates a growing awareness of software supply chain risks among firms. Firms are increasingly using software bills of materials (SBOMs), which describe the components of software, to mitigate those risks, the survey found. SBOMs make it easier to find and avoid vulnerable components, and are especially relevant to the management of open-source software, the report says.
Increasing automated software testing and DevSecOps practices are also identified as key trends in software security management in Synopys’s Building Security in Maturity Model (BSIMM) report, which has been published annually since 2008.
According to the BSIMM report there has been a 30% increase in the building and maintaining SBOMs to catalogue the components within deployed software over the past 12 months and a 51% increase in activities associated with controlling open source risks.
"The BSIMM13 findings suggest that with the attention placed on software supply chains, most enterprise organisations are taking a risk-based approach to application security,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “Such an approach recognizes that security isn't limited to the codebase; it includes the process of software development where security reviews and testing 'shift everywhere' to continuously improve security outcomes."
"The findings also demonstrate that BSIMM member organisations' software security initiatives are maturing, and they're now looking for ways to drive the scalability, efficiency and overall effectiveness of their programs," Schmitt said.
However, some analysts say SBOMs do not protect against common attacks, such as Log4j, which capitalise on the perceived security of an SBOM-based approach. For example, OX Security, the Israeli end-to-end software supply chain security platform for DevSecOps, aims to address this problem with a new standard: the ‘pipeline bill of materials’; designed to dynamically map attack surfaces, from source code to containers and pipelines. Last week OX Security announced completion of a $34m seed financing round.
Regulators are looking more closely at the issue of security for software supply chains. They recently highlighted the risk and recommended test automation to cover vulnerabilities.
And while the Synopsys report on supply chain risk highlights improvements, not all research is so optimistic. A survey of C-suite executives in the US and Euriope released by CloudBees, the California-based DevOps platform, revealed a drop in confidence for perceived software supply chain security as firms get to grips with the true size of the challenge. While 88% of executives say their software supply chain is secure or very secure, that is a decline from 95% in 2021.
“The fall in confidence for perceived security levels reflects that executives are starting to accept the reality of the depth and breadth of security and compliance challenges that their companies are facing,” said Prakash Sethuraman, chief information security officer of CloudBees (pictured). “There seems to be more of an understanding that supply chain security is a challenge that needs to be taken seriously and is perhaps far more complex than was originally understood by senior management.”
The CloudBees survey found 59% of executives believe their software supply chain is almost or completely automated, dropping 16% from 2021, while 78% say their software supply chain is mostly or completely compliant, dropping from 90% from the previous year.
In countries that reported lower levels of software supply chain and compliance automation, shifting security and compliance left was seen as a help to development teams, while in countries like the USA, UK, and Australia - where automation is high - shifting security and compliance left was seen as a burden, increasing time spent auditing. Three quarters of executives say that compliance and security challenges are hindering innovation.
“While shift left is a popular talking point, it is not yielding the desired results. Instead, it is further burdening development teams and taking their attention away from value-added work”, Sethuraman said. “What’s needed is a new mindset and a fresh approach, one in which security and compliance are continuous and actually speed innovation.”
At the end of September, Cloudbees announced the acquisition of ReleaseIQ - the Californian DevSecOps platform - to expand its own CI/CD and DevSecOps offerings.