|Insights Into Software Supply Chain Security|
|Written by Sue Gee|
|Wednesday, 08 November 2023|
A report from Chainguard reveals that while software developers and security leaders are committed to tackling software supply chain security, differences in their perspectives and priorities can cause tension.
The 2023 CISO & Developer Trends in Software Supply Chain Security Report has the findings of a survey that aimed to cover:
The research was conducted online in the U.S. by The Harris Poll and involved a total of 520 participants; 268 Security Decision-Makers (CISOs) and 252 Developers.
As this chart indicates, while a majority of both CISOs (52%) and developers 70% view supply chain security as important there is discrepancy where it falls in the prioritization stack - coming a close second to the top priority of cybersecurity risk management /compliance for developers and a more distant third for CISOs.
Compared to CISOs, developers feel more responsible for implementing safe software practices and reducing risks on the software supply chain and 72% developers say they are very security conscious in their role. However, only 50% of CISOs rate software developers as very security-conscious.
Another area of contention is container images. Developers report security teams don’t understand a crucial security surface area: container images. Only 43% of developers believe that CISOs are “very familiar” with how container images fit into their work, which is low when compared to other aspects of how developers perceive their security team to understand their work: open-source software libraries and projects (61%), source code repositories and source code management systems (60%), and software build tools (59%).
The report also reveals the difficulty of balancing security priorities with developer productivity. Over three quarters (77%) of CISOs and more than two-thirds of developers (68%) agree that the need to prioritize security causes tension between their teams. While developers don’t want their day-to-day productivity to be affected by security tools or requirements, 56% say it is impossible to do their best work with their current software supply chain security tools, or lack thereof, in place and 73% of developers agree that the requirements of their security teams interferes with their productivity and innovation.
While lack of collaboration and communication between developers and security teams is a problem acknowledged by 69% of CISOs and 64% of developers both agree that it is absolutely essential that best practices and tooling in software security result in certain business outcomes, including customer retention (43% and 40%, respectively), meeting or satisfying procurement contract obligations (36% and 32%), fewer breaches or compromises (34% each), and developer / engineer productivity (32% and 34%). Currently the most widely used tools are software supply chain observability tools like CSPM platforms, reported by 68% of developers and 63% of CISOs. Digital software signatures like Sigstore are used by 56% of developers and 40% use SBOMs.
Despite some disconnect between CISOs and developers regarding each other’s security prowess or understanding of tooling, software supply chain security is a top priority for both groups, with 92% of developers say software supply chain security is at least very important to their day-to-day work and development processes, with 39% marking it as absolutely essential.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Wednesday, 08 November 2023 )|