Proactive software supply chain security becoming critical as threats rise

Anchore released its report of executive insights into managing enterprise software supply chain security practices. The Anchore 2022 Software Supply Chain Security Report compiles responses from 428 leaders and executives in IT, security and development roles to identify the latest trends on how organizations are adapting to new security challenges of the software supply chain.

The survey was conducted in December 2021, both before and after the Log4j zero-day vulnerability was published. The impact was seen immediately, with respondents surveyed after the Log4j incident being much more likely to report significant or moderate impacts from supply chain attacks.

Managing software supply chain security a significant or top focus in 2022

In response to rising software supply chain concerns, 54% of respondents are making security of the software supply chain a significant or top focus in 2022. While 76% of large enterprises will increase their use of a software bill of materials (SBOM) in 2022, the data shows that SBOM practices must mature to improve supply chain security.

Only 18% of respondents have complete SBOMs for all their applications and less than one third follow SBOM best practices like maintaining an SBOM repository and requesting SBOMs from commercial vendors.

“The software security landscape is changing rapidly and it’s important that enterprise leaders understand how critical proactively security is becoming,” said Josh Bressers, VP of security at Anchore.

“The data shows us that organizations are focused on both open source and commercial software as part of their supply chain security efforts. The most important action now is to generate and store SBOMs for the software they build and use. This critical foundation provides visibility into the software components they depend on and monitor for the security of applications post-deployment. With an SBOM, organizations will be ready to respond quickly to the next zero-day vulnerability.”

Report highlights

• 62% of all organizations were impacted by software supply chain attacks in 2021. Technology companies were the most affected, with over 70% reporting attacks.
• As a result of these attacks, 54% indicated that securing the software supply chain is a top or significant focus for 2022.
• 70% of advanced container users identify software supply chain security as a top or significant focus.
• Security of open source software is the top focus for supply chain security efforts with 46% ranking it as a “Top 3” priority.