Skip to main content
close search
site logo
Dive Brief

Businesses boost software supply chain security, but strategies remain fragmented

A study by the Enterprise Strategy Group shows more than one-third of organizations have been exploited by a known open source vulnerability.

Published Aug. 9, 2022
David Jones's headshot
Reporter
cybersecurity stock photo
Yudram_TA via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • Almost three-quarters of organizations have made significant enhancements to their software supply chain security, as a result of several high-profile incidents, including the SolarWinds nation-state attack and the Log4j vulnerability, according to a study by Enterprise Strategy Group on behalf of Synopsys. 
  • The investments range from multifactor authentication to application security testing and improved asset discovery. However, despite those efforts, more than one-third of organizations have been exploited due to a known open source software vulnerability in the last 12 months and 28% have been impacted by a zero-day exploit, according to the report. 
  • The biggest concern for more than half of all survey respondents is the high percentage of application code that is based on open source software. The study is based on a survey of 350 decision makers working in IT and cybersecurity as well as application developers.

Dive Insight:

There is an urgent and ongoing debate about the security of software supply chains and the heavy reliance of the developer community on open source software. 

The industry is beginning to embrace a consensus that security needs to become far more of a priority during the development stage. By the time there is an actual attack or widespread vulnerability, it may be too late for many organizations to quickly find and remediate the damage remaining to their systems. 

The research reveals that managing open source is top of mind for many organizations, according to Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center. 

“This includes vulnerability management and falling victim to an attack, but interestingly also the fear of having too much open source within their application stack,” Mackey said via email. 

More research is delving into the security implications of relying on open source. In June, a study by Linux Foundation and Snyk indicated 40% of organizations don’t have a great deal of confidence in open source security. 

In July, research from the federal Cyber Safety Review Board showed the impact of the Log4j vulnerability would last well into the future, calling it an “endemic vulnerability.”

But management responses to the growing security risks to the software supply chain are still in their early stages, Gartner research found. Responses are either absent or fragmented.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell