The security of your software supply chain is vital to ensuring application security. But far too many organizations do not have a comprehensive understanding of where critical components of their software delivery come from – or misunderstand it completely.
For nine straight years, Sonatype’s State of Software Supply Chain Security Report has analyzed the challenges associated with protecting your software supply chain from attack and has provided advice and guidance on improving it. Their latest report revealed some crucial findings about organizations’ understanding of their supply chains, common vulnerabilities and challenges, and what the emergence of AI means for software security and delivery.
In a recent conversation, I sat down with Sonatype CTO Brian Fox and VP of Product Innovation Stephen Magill to discuss key findings and trends from the latest report. Here’s what I learned from the conversation.
Organizations still struggle to understand what a software supply chain is and where critical components of their software are sourced.
For most products in most industries, organizations understand exactly how each piece of their product is sourced and made. As Brian Fox points out, car manufacturers have a comprehensive understanding of the sourcing of all of their parts.
But, software development organizations still struggle with the understanding of their supply chain. Which poses grave risks.
As Brian told me: “The typical modern application is about 90 percent third-party components. Most of those would be open source. So, 90 percent of the code volume inside of any application is coming from places and people that don’t work for you. So, what are the risks? Well, they don’t work for you. You may not know them all. So, there are sometimes untrustworthy components in there. There are components that have lower quality than others. There are some that have defects. The fact that most organizations don’t have controls in place means that it’s sort of up to the developers to decide what’s appropriate.”
Open source components are being used throughout software supply chains, but most organizations have vastly different approaches to security between their own components and open source components.
Sonatype’s latest report showed that while developers are rampantly using open-source tools in their software delivery, many software leaders don’t understand the extent to which that’s happening. What’s worse, these organizations have vastly different security protocols and standards in place between their internally created components and open-source components.
As Stephen said:
“It’s pretty standard to do code review, right? To be using some sort of static analysis tool to be using a dependency management tool or an SCA tool. Those are almost universal practices, certainly considered best practices and widely implemented in industry. If you look at open source practices in that space the rates are much much lower…And so we took a look at that data in this last year’s Open Source Security Foundation report to just see overall what are the rates of these various practices across open source and for code reviews, specifically. So it’s scored on a 0 to 10 scale. Zero is there’s no evidence of code review at all and then you get partial points if you’re reviewing some things… So only 19% of open source projects scored greater than 0 at all. So 81% are scoring zero – no code review and only 2% are receiving the full score of 10. That would just not be allowed in industry. You would pause production and revamp.”
As governments push for accountability, more organizations are proactively prioritizing supply chain security including utilizing SBOMs.
So, who’s driving the movement to ensure software supply chain security is a priority for individual organizations and our industry? We talked about how over the last few years, governments have been the main drivers of more accountability in software supply sourcing and development, not only because of their oversight power but because they are some of the biggest purchasers of software in the world.
“We, the industry, didn’t get our stuff together fast enough,” Brian said, “and so now governments are getting involved.”
But as Stephen pointed out, organizations are taking on more and more responsibility:
“Governments, in many cases, started this conversation as the driver of these practices, but we’re seeing them make their way outside government contractual relationships as well. So, the idea that you might need to provide a software bill of materials (SBOM) with your software is important.”
AI poses new opportunities and challenges for supply chain security.
As with nearly every aspect of software delivery, the emergence of artificial intelligence within the realm of software supply chain security is one filled with both challenges and opportunities.
According to Brian Fox, generative AI can be a tool to help analyze data around software dependencies and better strategize about supply chain approaches.
On the other hand, organizations are dealing with the use of AI, specifically large language models (LLMs) within their software delivery. For Brian, the challenges facing the industry in this regard are similar to the challenges it faced more than a decade ago with the emergence of open-source tooling.
As Brian told us:
“Some of our customers have been asking us to help them get a handle on LLMs and it to me feels like 15 years ago when organizations said ‘I need help getting a handle on open source. I don’t know what I’m using. I don’t have any way to put controls in place for it.’ And we’ve seen organizations who say ‘We’ve banned LLms in our products.” And yet when we scan them we find that there are embedded models in the products. It’s exactly the same problem all over again.”
There was a lot in this conversation, including more on specific data and emerging trends from Sonatype’s annual study. Watch the full conversation here.
Looking to make application security or supply chain security a priority? We’d love to chat about your current challenges and opportunities and how our experts can help.