48% of security pros are falling behind compliance requirements

32% of security professionals think they can deliver zero-vulnerability software despite rising threats and compliance regulations, according to Lineaje. Meanwhile, 68% are more realistic, noting they feel uncertain about achieving this near impossible outcome.

Software compliance adoption varies across organizations

While Software Bill of Material (SBOM) regulations and guidelines continue to increase, organizations vary in their level of adoption. Notably, some organizations do not have enough visibility, while others struggle with insufficient tools and processes.

The urgency of this cannot be overstated, especially given that over 90% of modern codebases are built upon open-source dependencies, and 95% of software weaknesses are directly attributable to this code.

A substantial 34% reported difficulty in accurately identifying and tracking open-source components, revealing a critical blind spot where developers and security professionals remain unaware of the elements they are integrating into their software supply chains.

The recent easyjson open-source vulnerability, which has been traced back to Russian developers, is the latest incident emphasizing the significant risks inherent in its reliance on open-source components.

Despite the lack of visibility, the survey found that 48% of security professionals are falling behind global SBOM compliance regulations, including the U.S. Office of Management and Budget (OMB) Memo M-22-18, Executive Order 14028, and the EU Cyber Resilience Act.

Lack of compliance opens organizations up to significant fines, potential data breaches, and hurts security-minded customer prospects. 47% have not started SBOM integration or are presently evaluating tools and practices, despite legislation potentially opening their organizations up to legal and financial penalties.

Security teams lack tools to analyze SBOM vulnerabilities

In addition, 38% of respondents noted they prioritize the most vulnerable areas within their applications. While this may sound positive at first, this means they are leaving the supposedly less vulnerable areas within the software supply chain open to attack.

With advancements in AI, all vulnerabilities are now exploitable. For example, GPT4 can write exploits for 87% of known vulnerabilities. Without full visibility into all of the software supply chains’ dependencies, many organizations are likely underestimating risks.

Unfortunately, 29% of teams still lack the tools and processes needed to analyze SBOMs for vulnerabilities. Without the ability to correlate SBOM data with known weaknesses or automate risk prioritization, organizations face delayed threat times, widening the window of opportunity for attackers to exploit security weaknesses.

AI enhances software supply chain security visibility

88% of respondents reported that AI has the potential to critically or significantly enhance software supply chain security visibility. For example, we’ve seen a big uptick in organizations’ desire to use AI for auto-remediation. This readiness to adopt AI to secure code is driven by the adoption of AI by developers to create code.

When asked what the most pressing or high-stakes issues that AI is creating for organizations today are, the top two responses were data security and privacy risks (35%), and AI code generation and vibe coding risks (26%). This makes a lot of sense given practices like AI code generation and vibe coding significantly increase the software supply chain attack surface.

AI-powered auto-remediation is a great tool in combating this increased risk, however, it is limited to vulnerabilities for which fixes are available. 70% of respondents admitted that when a fix is not available for a vulnerability, they either don’t have or are not sure if they have a remediation plan in place.

“It is heartening to note that security professionals are more aware of security drivers around AI innovations, open-source risks, and increasing regulations,” said Javed Hasan, CEO at Lineaje. “However, driving safer digital infrastructure requires more action tied to this awareness. Organizations must leverage holistic solutions that can provide visibility into all code, and fix them at the velocity of digital transformations – so teams can innovate instead of playing catch-up.”