A new study reveals that while 80% of companies use open source software (OSS) – expected to reach 99% next year – just 1% say they don’t care about security.
The report of Synopsisaccording to research by Enterprise Strategy Group (ESG)shows that in response to high-profile supply chain attacks, 73% of respondents say they have significantly increased their efforts to secure their organization’s software supply chain.
Actions taken include adopting some form of multi-factor authentication technology (33%), investing in application security testing controls (32%), and improving asset discovery to Update their organization’s attack surface inventory (30%). Despite these efforts, 34% of organizations report that their applications have been exploited due to a known vulnerability in open source software in the past 12 months, with 28% experiencing a previously unknown zero-day exploit found in open-source software.
Pressure to improve software supply chain risk management has put the spotlight on software bills of materials (SBOM). But the explosion in OSS usage and lackluster OSS management has made compiling SBOMs complex – ESG research shows that 39% of survey respondents called it a challenge for the organization. use of OSS.
“As organizations see the level of potential impact that a software supply chain security vulnerability or breach can have on their business through headlines, prioritizing a proactive security strategy is now a fundamental business imperative,” said Jason Schmitt, general manager responsible for Synopsys’ software integrity group. “While open source risk management is an essential part of software supply chain risk management in cloud-native applications, we also need to recognize that risk extends beyond open source components. Infrastructure-as-code, containers, APIs, code repositories – the list goes on and on and must be considered to ensure a holistic approach to software supply chain security.”
The results also suggest that while developer-centric security and “left shift” (a concept aimed at enabling developers to perform security testing earlier in the development lifecycle) are growing among organizations that build cloud-native applications, 97% of organizations experienced a security incident involving their cloud-native applications in the last 12 months.
Faster release cycles also present security challenges. App development (41%) and DevOps (45%) teams agree that developers often ignore established security processes, while a majority of app developers (55%) agree that Security teams lack visibility into development processes.
You can find out more about the website synopsis.