Insights Into Software Supply Chain Security
Written by Sue Gee   
Wednesday, 08 November 2023

A report from Chainguard reveals that while software developers and security leaders are committed to tackling software supply chain security, differences in their perspectives and priorities can cause tension.

The 2023 CISO & Developer Trends in Software Supply Chain Security Report has the findings of a survey that aimed to cover:

  • The importance of software supply chain security to developers and security leaders
  • The pain points and successes in current approaches to software supply chain security among developers and security leaders
  • The expectations around responsibility for software supply chain security across an organization’s developers and security leaders

The research was conducted online in the U.S. by The Harris Poll and involved a total of 520 participants; 268 Security Decision-Makers (CISOs) and 252 Developers.

SSCS Priorites

As this chart indicates, while a majority of both CISOs (52%) and developers 70% view supply chain security as important there is discrepancy where it falls in the prioritization stack - coming a close second to the top priority of cybersecurity risk management /compliance for developers and a more distant third for CISOs.

Compared to CISOs, developers feel more responsible for implementing safe software practices and reducing risks on the software supply chain and 72% developers say they are very security conscious in their role. However, only 50% of CISOs rate software developers as very security-conscious.

Another area of contention is container images. Developers report security teams don’t understand a crucial security surface area: container images. Only 43% of developers believe that CISOs are “very familiar” with how container images fit into their work, which is low when compared to other aspects of how developers perceive their security team to understand their work: open-source software libraries and projects (61%), source code repositories and source code management systems (60%), and software build tools (59%).  

The report also reveals the difficulty of balancing security priorities with developer productivity. Over three quarters (77%) of CISOs and more than two-thirds of developers (68%) agree that the need to prioritize security causes tension between their teams. While developers don’t want their day-to-day productivity to be affected by security tools or requirements, 56% say it is impossible to do their best work with their current software supply chain security tools, or lack thereof, in place and 73% of developers agree that the requirements of their security teams interferes with their productivity and innovation.  
 

While lack of collaboration and communication between developers and security teams is a problem acknowledged by 69% of CISOs and 64% of developers both agree that it is absolutely essential that best practices and tooling in software security result in certain business outcomes, including customer retention (43% and 40%, respectively), meeting or satisfying procurement contract obligations (36% and 32%), fewer breaches or compromises (34% each), and developer / engineer productivity (32% and 34%). Currently the most widely used tools are software supply chain observability tools like CSPM platforms, reported by 68% of developers and 63% of CISOs. Digital software signatures like Sigstore are used by 56% of developers and 40% use SBOMs. 

 
SSCS Tools
 

 

Despite some disconnect between CISOs and developers regarding each other’s security prowess or understanding of tooling, software supply chain security is a top priority for both groups, with  92% of developers say software supply chain security is at least very important to their day-to-day work and development processes, with 39% marking it as absolutely essential.

 
chainguard

 

 

More Information

2023 CISO & Developer Trends in Software Supply Chain Security Report

Chainguard 

Related Articles

Extent Of Buggy and Risky Open Source Code Revealed

Wolfi Linux (Un)Distribution Secures The Software Supply Chain

Chainguard Announces AI Images Bundle

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


Azul Intelligence Cloud Expands Support
02/05/2024

Azul has announced that its cloud analytics solution, Azul Intelligence Cloud, now supports Oracle JDK and any OpenJDK-based distribution. More DevOps teams will now benefit from its ability to b [ ... ]



Google Gemini API Developer Competition
17/05/2024

Google is running a Gemini API Developer Competition with prizes including a 1981 custom electric DeLorean. Entrants will use the Gemini API to tackle real-world challenges, and the organizers su [ ... ]


More News

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Wednesday, 08 November 2023 )