Software supply chain security still a pain point

ActiveState announced the results of its survey, providing insights into the security challenges of the software industry’s open source supply chain, which includes the security of open source components, as well as the security and integrity of key software development processes. The results point to the fact that software supply chain security is still in its infancy.

Securing the software supply chain encompasses vulnerability remediation and the implementation of controls throughout the software development process. Key development processes include:

• Import – how secure is the process of bringing third-party tools, libraries, code snippets, packages and other software resources into the organization?
• Build – how secure is the organization’s process of assembling and building open source artifacts from source code?
• Run – how secure is the organization’s process of working with, testing, and running built artifacts in development, test and production environments?

The survey’s results, which were garnered from the responses of more than 1,500 developers, security professionals and open source leaders at organizations of all sizes worldwide, point to the immaturity of supply chain security across the software industry.

Areas of concern include the implicit trust that a worryingly high percentage of organizations (32%) place in open source repositories which fail to deliver any guarantees as to the security and integrity of the software they provide, as well as the low levels of build reproducibility (only 22% of organizations), making it difficult for anything built from source code to be deemed secure.

Loreli Cadapan, VP, Product Management, ActiveState, said: “Much more work is required to address the software industry’s supply chain security shortcomings. However, integrating multiple point solutions to create an end-to-end secure software supply chain is a non-trivial undertaking. To overcome this challenge, organizations should look for a turnkey, out-of-the-box solution to quickly secure their software supply chain.”