A recent report by Synopsys in collaboration with the Ponemon Institute has shed light on the alarming increase in software supply chain attacks affecting global organisations. According to the report, more than half of organisations (54%) have experienced such attacks in the past year, highlighting the growing risk environment that many are struggling to navigate effectively.
One of the key takeaways from the report is the delayed response time to these attacks, with half of the organisations taking more than a month to address the issue. Additionally, a significant number (one in five) admit that their detection and response capabilities are inadequate, further exacerbating the impact of these attacks.
The report also highlights the widespread integration of artificial intelligence (AI) tools in the software development process. A majority of security professionals (52%) reported using AI tools within their development teams, including popular tools like OpenAI Codex, ChatGPT, and GitHub Copilot. While AI-driven automation has proven to be efficient, concerns have been raised about the lack of safeguards in place to evaluate AI-generated code for potential risks related to licensing, security, and quality. Only 32% of organisations have established procedures to address these concerns, indicating a significant gap in security measures.
Moreover, survey respondents expressed dissatisfaction with the commitment from decision-makers in addressing these challenges. Despite the increase in investment following high-profile incidents like the SolarWinds breach, only 39% of organisations indicate strong leadership commitment to mitigating malware risks in software supply chains. Additionally, only 38% believe that the current resources allocated to supply chain security are adequate, further underscoring the need for increased vigilance and investment in this area.
In a statement regarding the report, Jason Schmitt, general manager of Synopsys Software Integrity Group, emphasized the growing threat of supply chain attacks and the need for enhanced security measures. He noted, “Attackers are getting more sophisticated and thus finding more weaknesses that allow them to exploit a supply chain where they can steal sensitive data, plant malware, and control systems. Particularly with the rise of AI-generated code, security teams need to maintain visibility into applications, and continuously evaluate IP, security threats, and code quality to reduce risk.”
Additional key findings from the report include the limited adoption of Software Bills of Materials (SBOMs), critical for ensuring supply chain security, with only 35% of organisations producing them. Furthermore, open source vulnerabilities remain a significant concern, with 65% of respondents utilizing open source software, yet less than half (47%) deeming their security measures highly effective in securing it within the supply chain.
To learn more about the findings of the report, interested parties can download a copy of “The State of Software Supply Chain Security Risks” report, read the accompanying blog post, or register for the upcoming webinar on May 23. These resources aim to educate and inform organisations about the critical need for enhanced security measures in the face of evolving cyber threats.