- 65% of organizations faced supply chain attacks in the past year
- GenAI adoption exacerbates risks; only 24% analyze AI-generated code for security or IP issues
- Compliance and continuous automation improve remediation speed and defense effectiveness
The software supply chain, an entire network of components, tools, and processes used to develop, build, and deliver software, has evolved into a new, highly popular attack surface that provides cybercriminals with opportunities to bypass standard defenses and reap disproportionate rewards from a single compromise.
This is according to “Navigating Software Supply Chain Risk in a Rapid-Release World,” a new in-depth report released by application security firm Blackduck.
Based on a survey of 540 software security executives, the report states that two-thirds (65%) of organizations have experienced at least one supply chain attack in the past 12 months.
Compliance is key
These incidents are increasingly multifaceted, with organizations reporting malicious dependencies (30%), unpatched vulnerabilities (28%), zero-day exploits (27%) and malware injections into build pipelines (14%).
The speed at which Generative Artificial Intelligence (GenAI) is being adopted in the enterprise only makes matters worse. Blackduck says that almost all (95%) organizations are now leveraging AI tools for software development (mostly ChatGPT), but the security protocols are not keeping up. Confidence in the tool is high, while actual verification is alarmingly low.
In fact, only a quarter (24%) of organizations analyze AI-generated code for things like IP, licensing, security or quality risks. That, the report claims, leaves plenty of room for vulnerabilities in the supply chain, including introducing copyrighted IP or exposing sensitive API keys.
To strengthen your defenses, you should carefully consider compliance. Blackduck claims that, contrary to popular belief, a compliance-first approach actually accelerates security response times.
There appears to be a clear correlation between robust compliance controls and remediation speed, with 54% of organizations using at least four types of compliance controls responding to critical vulnerabilities significantly faster compared to 45% of the general respondent pool.
Moreover, automation appears to be immutable. Relying on periodic manual monitoring, which around 36% of respondents currently do, is generally considered insufficient. At the same time, organizations with automatic continuous monitoring are described as “far more efficient”.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
