Maturity of Software Supply Chain Security Practices 2024

When mitigating and reducing the risks of security threats in their software delivery, this report has revealed that organizations with matured software supply chain security practices can be characterized as being highly deterministic in understanding how fast their teams are able to isolate, respond and address security issues when discovered.

Defined by software efficacy and integrity checks that catch vulnerabilities early, the report also looks at improved delivery performance that uses provenance and attestations to meet industry-specific regulatory standards. This report proceeds to detail use of security controls in process automation for continuous deployment to a declarative state, as it inspects the use of remediation practices that eliminate prolonged downtimes by security events. Here are some insights gathered.

Key Insights

It remains challenging for developers to write code that remains compliant to the organizations’ security practice, without the inherent cognitive overload and manual overheads that comes with a DevOps practice. This report has shown that only 20% apply standardized security practices each time a pull request is made, where 57% do not use build information to verify if pipeline compliance has been met. 

Compliance in the software supply chain is drawn from the use of automated image assessment that verifies vendor-supplied base images, as opposed to curating their own trusted content. Dependency analytics becomes challenging when trying to ascertain risk profiles, especially when trying to understand the impact radius of any given security threat.

• Though 51% of development teams ensure the trustworthiness of open source packages through either vulnerability and dependency management tools or make use of responsible disclosure policies, only 11% of organizations currently have some form of open source software governance policy.
• 57% of developers do not harness information in a software bill of materials (SBOMs) to verify if pipeline compliance has been met. 61% also say they don’t know how to store and analyze SBOMs – much less know how to generate one. Being security compliant in the SSC to safeguard build systems from malicious code injection does not need to be complicated.
• While 58% perform scanning of files in their system configuration management at a frequency in keeping with the elite-to-high maturity group, to protect from possible poisoned pipeline execution, a large majority (63%) of developers still employ poor base image selection consistent with a medium-maturity practice.