Developers are increasingly incorporating security testing into their development pipeline, but there is still room for improvement, according to the annual 2023 State of Software Supply Chain Security report by Snyk. The report reveals that while two-thirds of companies integrate security tools into their software building systems, only 40% have deployed security checks into their integrated development environment (IDE), and just 48% do so as part of the code committing stage. Furthermore, 40% of companies do not utilize any supply chain technologies such as static analysis security tools (SAST) or software composition analysis (SCA) tools.
Randall Degges, head of developer relations at Snyk, emphasizes that every developer should conduct at least three types of scans: scanning custom code with SAST, checking open source dependencies with an SCA tool, and analyzing infrastructure files to detect insecure configurations. By prioritizing these security measures, developers can significantly improve their software development lifecycle and outpace the majority of companies that neglect these essential steps.
Fortunately, the report also indicates that more companies are now paying attention to software security, particularly in the wake of the Log4J library vulnerabilities that affected numerous organizations. The Snyk report reveals that 94% of companies have made significant changes to their approach to application security in the 18 months since the release of Log4Shell and other exploits. Of the respondents, nearly two-thirds increased the frequency of scanning, while more than half adopted new tools (59%) or provided additional security training to developers (53%).
Degges draws a parallel between the impact of the Log4J vulnerabilities and Edward Snowden’s release of classified documents, stating that it has prompted an unprecedented focus on software security measures. He believes that this is the most significant driver of software security behavior he has witnessed in his career.
In addition to security testing, developers are also utilizing AI tools to expedite code production and plan to continue leveraging AI in the future. However, the report indicates that despite 77% of developers believing that AI tools help them produce better and more secure code, 59% of them still harbor concerns about potential vulnerabilities in their code. Degges cautions that while AI-powered tools can enhance code development speed, those who place excessive trust in these tools may find their code less secure. He emphasizes the importance of developers understanding what they are doing and assuming that all generated code is unsafe by default.
The prevalence of AI assistants is evidenced by the fact that ChatGPT is now incorporated into nearly 1,000 packages from the Python Package Index (PyPI) and the Node Package Manager (npm). However, this rapid expansion of AI technologies also brings risks, as malicious packages can introduce malware and other dangers to the software supply chain.
The report also highlights an interesting trend: developers are addressing vulnerabilities in open source software faster than in custom components. While the report does not provide specific reasons for this, it notes that the time to fix (TTF) for proprietary software has slightly increased in 2022, while the TTF for open source software continues to decline. Snyk suggests that this implies that the open source ecosystem is improving its security response over time and moving towards providing better security compared to the closed source domain. In fact, the TTF for critical- and high-severity open source vulnerabilities has fallen by approximately half in 2022, marking the third consecutive year of decline.
Degges attributes this improvement to heightened awareness among open source maintainers regarding security issues, particularly those related to supply chain security. Overall, he commends the significant progress seen in the open source community over the past year.
As the adoption of security testing increases and developers incorporate AI tools into their workflows, it is crucial for companies to prioritize the integration of security measures throughout the software development lifecycle. By doing so, they can enhance code security, mitigate vulnerabilities, and safeguard their software supply chain from potential threats.