A new study reveals that while 80 percent of enterprises are using open source software (OSS) — set to rise to 99 percent in the next year — a mere one percent say they aren’t worried about security.
The report from Synopsis, based on research by Enterprise Strategy Group (ESG), shows that in response to high profile supply chain attacks 73 percent of respondents say they have increased their efforts significantly to secure their organizations’ software supply chain.
Steps taken include the adoption of some form of multi-factor authentication technology (33 percent), investment in application security testing controls (32 percent), and improved asset discovery to update their organization’s attack surface inventory (30 percent). Despite those efforts, 34 percent of organizations report that their applications have been exploited due to a known vulnerability in open source software within the last 12 months, with 28 percent having suffered a previously unknown zero-day exploit found in open source software.
Pressure to improve software supply chain risk management has shone a spotlight on software Bills of Materials (SBOMs). But exploding OSS usage and lackluster OSS management has made the compilation of SBOMs complex — the ESG research shows that 39 percent of survey respondents marked this task as a challenge of using OSS.
“As organizations are witnessing the level of potential impact that a software supply chain security vulnerability or breach can have on their business through high-profile headlines, the prioritization of a proactive security strategy is now a foundational business imperative,” says Jason Schmitt, general manager of the Synopsys Software Integrity Group. “While managing open source risk is a critical component of managing software supply chain risk in cloud-native applications, we must also recognize that the risk extends beyond open source components. Infrastructure-as-code, containers, APIs, code repositories — the list goes on and on and must all be accounted for to ensure a holistic approach to software supply chain security.”
The findings also suggest that although developer-focused security and ‘shifting left’ — a concept focused on enabling developers to conduct security testing earlier in the development lifecycle — is growing among organizations building cloud-native applications, 97 percent of organizations have experienced a security incident involving their cloud-native applications within the last 12 months.
Faster release cycles are also presenting security challenges. Application development (41 percent) and DevOps (45 percent) teams agree that developers often skip established security processes, while a majority of application developers (55 percent) agree that security teams lack visibility into development processes.
You can find out more on the Synopsis site.