CISOs vs. developers: A battle over security priorities

A majority of both developers and CISOs view software supply chain security as a top priority in their roles (70% and 52% respectively), according to Chainguard.

However, there is a clear disconnect and even some distrust between CISOs and developers related to how security-conscious each department is within the organization, who is responsible for preventing and mitigating security issues, how well CISOs understand developers’ day-to-day tools, and how well developers understand the risk associated with aspects of their job and the tools they use.

“Finding alignment between developers and security leaders on software supply chain security is a difficult challenge for even the most well-resourced and staffed organizations,” said Kim Lewandowski, CPO at Chainguard. “The findings in the report reflect the tension in the security landscape, as organizations are re-thinking how to maintain developer velocity and the advantages of open source technology, while closing the gap on a new class of vulnerabilities that software supply chains have accrued.”

CISOs emphasize software security in threat mitigation strategy

72% of software developers say they are very security-conscious in their roles while only 50% of CISOs rate software developers as very security-conscious.

Only 43% of developers believe that CISOs are “very familiar” with how container images fit into their work, which is low when compared to other aspects of how developers perceive their security team to understand their work: open-source software libraries and projects (61%), source code repositories and source code management systems (60%), and software build tools (59%).

The report found that 92% of developers say software supply chain security is at least very important to their day-to-day work and development processes, with 39% marking it as absolutely essential. 93% of CISOs noted effective software security as a critical component of their organizational maturity and threat / risk mitigation strategy, and 96% say effective software security practices are important to meeting government or regulatory requirements.

36% of CISOs and 34% of developers report that an overwhelming number of scanner false positive vulnerability alerts are among the biggest obstacles an organization faces in ensuring software supply chain security. Both groups also cite consumption of vulnerable software and a lack of cohesion between CISOs and developers as main obstacles to software supply chain security.

Lack of communication and collaboration between developers and security teams

69% of CISOs and 64% of developers agree that lack of communication and collaboration between developers and security teams is a problem. Despite the tension present, both teams agree that it is absolutely essential that best practices and tooling in software security result in certain business outcomes, including customer retention (43% and 40%, respectively), meeting or satisfying procurement contract obligations (36% and 32%), fewer breaches or compromises (34% each), and developer / engineer productivity (32% and 34%).

“Developers and CISOs juggle numerous security priorities, often conflicting across organizations,” noted Luke Shoberg, Global CISO at Sequoia Capital. “The report emphasizes the need for internal assessments, fostering deeper collaboration, and building trust among teams managing this critical domain. Recognizing technical and cultural obstacles, organizations have made significant strides in understanding the importance of securing the software supply chain for sustained business success.”

“The world of software consumption and security has radically changed. From containers to the explosion of open source components, every motion has been toward empowering developers to build faster and better,” said Avon Puri, Global Chief Digital Officer at Sequoia Capital.

“But with that progress, the security paradigm has been challenged to refocus on better controls and guarantees for the provenance of where software artifacts come from and that their integrity is being maintained. The survey shows developers and security teams are wrestling with this new reality in the wake of major exploits like Log4j and SolarWinds. There is a near universal awareness of the challenges, but still a ton of uncertainty about how to best solve them in the context of trust and collaboration to secure modern developer toolchains and workflows,” added Puri.

Security risks in the era of constant software changes

Developers have already been wrestling with the natural tension between “build fast and break things” and the shift-left security movement. At the same time, CISOs are under immense pressure to maintain their organization’s security and compliance posture amid rising threats to the supply chain.

According to the report, 77% of CISOs and 68% of developers agree that the need to prioritize security causes tension between their teams. The report found that developers don’t want their day-to-day productivity to be affected by security tools or requirements, with 82% agreeing that software supply chain security practices shouldn’t make it more difficult for them to get their work done.

Tooling is also contributing to the tension, with 73% of developers agreeing that the work/tools their security team requires them to use interferes with their productivity and innovation.

While the industry has closed some gaps in the old world of software consumption, the new modern reality today is faced with opening even more, including an explosion of open source software, constant upgrades and patches and new classes of exploits that target software artifacts, container images and build systems.

Frameworks for software supply chain security–like Supply-chain Levels for Software Artifacts (SLSA) and the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF)–have rapidly matured and given security teams methods for how they approach policies and oversight, while giving developers more prescriptive best practices.

Organizations prepare for future shifts in software supply chain security

According to the report, in alignment with the importance already placed on software supply chain security by developers and CISOs, most say that their organizations already have some tools in place to address software supply chain security. These include the adoption of SBOMs (40%) and nearly half are implementing software supply chain security frameworks like SLSA (47%) and SSDF (47%).

In addition to the existing adoption of software supply chain security tooling and frameworks, CISOs and developers expect changes to come in the next five years for software supply chain security at their organizations.

The majority believe that prioritization of software supply chain security will increase over the next five years (85% among developers, 74% among CISOs), with almost one-third of developers saying that this will significantly increase (32% and 22% among security leaders).

CISOs have a slightly more tempered approach, with 23% anticipating their company’s approach to remain the same (vs. 15% among developers). This slightly tempered outlook on prioritization by security decision-makers could be due to the fact that they themselves are more involved in and having more visibility around long-term security strategy decisions.