Over the past year, a significant portion of global organisations (54%) experienced software supply chain attacks, with many struggling to adapt to the escalating risk environment. These findings stem from ‘The State of Software Supply Chain Security Risk’ report, released today by Synopsys in collaboration with the Ponemon Institute. The report highlights that half of the organisations took more than a month to respond to such attacks, and one in five admit their detection and response capabilities are ineffective.
Furthermore, the report underscores the pervasive integration of AI across the software development lifecycle. A majority of security professionals (52%) report the use of AI tools within their development teams, including OpenAI Codex (50%), ChatGPT (45%), and GitHub Copilot (43%). However, despite the efficiency gains from AI-driven automation, concerns arise due to the lack of adequate safeguards. Only 32% of organisations have established procedures to evaluate AI-generated code for potential risks related to licensing, security, and quality.
Survey respondents also voiced concerns about the insufficient commitment from decision-makers in addressing these challenges. Only 39% indicate strong leadership commitment to mitigating malware risks in software supply chains, despite 45% noting an increase in investment following high-profile incidents like the SolarWinds breach. Moreover, only 38% consider the current resources allocated to supply chain security adequate.
“Supply chain attacks are becoming more prevalent across organisations globally, yet this report highlights the sustained weaknesses in existing software development processes and security standards,” said Jason Schmitt, general manager, Synopsys Software Integrity Group. “Attackers are getting more sophisticated and thus finding more weaknesses that allow them to explore a supply chain where they can steal sensitive data, plant malware, and control systems. Particularly with the rise of AI-generated code, security teams need to maintain visibility into applications, and continuously evaluate IP, security threats, and code quality to reduce risk.”
Key findings from the report also highlight:
- Limited adoption of Software Bills of Materials (SBOMs), critical for ensuring supply chain security, with only 35% of organisations producing them.
- Open source vulnerabilities remain a significant concern, with 65% of respondents utilising open source software, yet less than half (47%) deem their security measures highly effective in securing it within the supply chain.
To learn more, download a copy of “The State of Software Supply Chain Security Risks” report, read the blog post or register for the May 23 webinar.