- 65% of organizations faced supply chain attacks in the past year
- GenAI adoption worsens risks; only 24% analyze AI-generated code for security or IP issues
- Compliance and continuous automation improve remediation speed and defense effectiveness
The software supply chain, an entire network of components, tools, and processes used to develop, build, and deliver software, has evolved into a new, very popular attack surface, granting cybercriminals opportunities to bypass standard defenses and reap disproportionately large rewards from a single compromise.
This is according to “Navigating Software Supply Chain Risk in a Rapid-Release World”, a new in-depth report published by application security company Blackduck.
Based on a survey of 540 software security leaders, the report states that two-thirds (65%) of organizations experienced at least one supply chain attack in the past 12 months.
Compliance is key
These incidents are becoming increasingly multifaceted, with organizations reporting malicious dependencies (30%), unpatched vulnerabilities (28%), zero-day exploits (27%), and malware injections into build pipelines (14%).
The speed at which Generative Artificial Intelligence (GenAI) is being adopted in the enterprise is only making things worse. Blackduck says that almost all (95%) organizations now leverage AI tools for software development (mostly ChatGPT), but security protocols are not keeping up. Confidence in the tool is high, while actual verification is alarmingly low.
In fact, only a quarter (24%) of organizations analyze AI-generated code for things like IP, license, security, or quality risks. That, the report argues, leaves plenty of room for vulnerabilities in the supply chain, including introducing copyright-protected IP, or the exposure of sensitive API keys.
To bolster your defenses, you should carefully consider compliance. Blackduck argues that, contrary to popular belief, a compliance-first approach actually accelerates security response times.
There seems to be a clear correlation between robust compliance controls and remediation speed, and 54% of organizations using at least four types of compliance controls act on critical vulnerabilities significantly faster compared to 45% of the general respondent pool.
Furthermore, automation seems to be non-negotiable. Relying on periodic manual monitoring, which is something around 36% of respondents are currently doing, is widely considered insufficient. At the same time, organizations with automatic continuous monitoring are described as “far more effective”.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
