Study highlights secure software supply chain best practices


The latest edition of Suse’s Securing the cloud report has found that almost every IT decision-maker polled is concerned about the security risks associated with their software supply chain.

The 2024 edition of the report, based on a survey of 820 IT engineers, architects, developers, security managers and directors, found that 94% of IT decision-makers intend to review their own software supply chain to increase security.

Almost half (46%) of the IT decision-makers polled are considering certifying processes and tools used to build software as a key measure to mitigate the risk and impact of supply chain attacks.

In the report, Suse said the survey data shows that in-house auditing of software is considered the most important measure to mitigate the risk and impact of supply chain attacks.

One in four IT decision-makers believe government-recognised supply chain-related security certifications (25%) will become more of a priority for them over the next 12 months. IT decision-makers also believe source-code auditability (14%), build quality (15%), or software bill of materials depth (SBOM), quality and security (24%) will be re-evaluated upwards in the next few years to become more of a priority.

The report polled IT decision-makers in the US, Germany, UK, France and the Netherlands. Those based in the US and Europe believe goals on source-code auditability (14%) will be re-evaluated, with the lowest share in Germany (11%) and the highest in the Netherlands (19%), followed by France (17%). Similarly, when asked about the re-evaluation of SBOM depth, quality and security, respondents in the US (20%) and Germany (20%) saw eye-to-eye. Europe as a group attributed it a higher likelihood (26%), with the UK (30%) being strongest in agreement.

However, Suse noted that the decision to re-evaluate the build quality of software supply chains remains a divisive matter. “While last year’s European respondents were more likely (40%) to believe this as compared to US respondents (15%), this year, roles were reversed, with more decision-makers from the US (24%) believing it to be the case compared to Europe (12%),” the report’s authors wrote.

Suse also found that responses to questions for software supply chain risks were dependent on respondents’ present role in the business. The survey reported that those working as software and network engineers, technical architects, or developers are more likely to believe that goals on source-code auditability will be re-evaluated (24% versus 14% average), but less likely to think goals on SBOM depth, quality and security will be re-evaluated (20% versus 23% average).

To mitigate the risk and impact of supply chain attacks, the most popular measures used by the IT decision-makers polled include certifying processes and tools used to build software (46%), leveraging software that is backed by principal software providers (44%) and in-house auditing of software (43%).

Certifying processes and tools used to build software is considered more important in the US (59%) compared with Europe (41%).

Suse also reported that in-house auditing of software is a significantly more popular measure in Germany (53%) compared with the UK and Netherlands (both 38%), with France at the average (43%).



Source link