Maturity of Software Supply Chain-Security-Practices-2024-cover-image

Maturity of Software Supply Chain Security Practices 2024

Liam Dodd, Konstantinos Korakitis
English

Overview

Software supply chain security refers to the components, processes and practices in the software factory that developers and organizations seek to safeguard from threat actors intent on disrupting business operations and causing financial distress.

Maturity of Software Supply Chain Security Practices 2024 aims to measure the extent by which developers and organizations have balanced speed and security in their software supply chain that keeps pace with their release cadences. In providing assurance and transparency of software components, with compliance and consistency in their build-deploy processes, and system resilience from security threats at runtime

The findings of this report are based on data collected from an online survey designed, hosted, and fielded by SlashData on behalf of Red Hat Inc. in Q4 2023. The survey reached more than 800 developers from over 80 countries.

Download the report to learn about practices that developers can implement to improve their security-focused developer productivity resilience.

Excerpt

When mitigating and reducing the risks of security threats in their software delivery, this report has revealed that organizations with matured software supply chain security practices can be characterized as being highly deterministic in understanding how fast their teams are able to isolate, respond and address security issues when discovered.

Defined by software efficacy and integrity checks that catch vulnerabilities early, the report also looks at improved delivery performance that uses provenance and attestations to meet industry-specific regulatory standards. This report proceeds to detail use of security controls in process automation for continuous deployment to a declarative state, as it inspects the use of remediation practices that eliminate prolonged downtimes by security events. Here are some insights gathered.

Key Insights

It remains challenging for developers to write code that remains compliant to the organizations’ security practice, without the inherent cognitive overload and manual overheads that comes with a DevOps practice. This report has shown that only 20% apply standardized security practices each time a pull request is made, where 57% do not use build information to verify if pipeline compliance has been met. 

Compliance in the software supply chain is drawn from the use of automated image assessment that verifies vendor-supplied base images, as opposed to curating their own trusted content. Dependency analytics becomes challenging when trying to ascertain risk profiles, especially when trying to understand the impact radius of any given security threat.

  • Though 51% of development teams ensure the trustworthiness of open source packages through either vulnerability and dependency management tools or make use of responsible disclosure policies, only 11% of organizations currently have some form of open source software governance policy.
  • 57% of developers do not harness information in a software bill of materials (SBOMs) to verify if pipeline compliance has been met. 61% also say they don’t know how to store and analyze SBOMs – much less know how to generate one. Being security compliant in the SSC to safeguard build systems from malicious code injection does not need to be complicated.
  • While 58% perform scanning of files in their system configuration management at a frequency in keeping with the elite-to-high maturity group, to protect from possible poisoned pipeline execution, a large majority (63%) of developers still employ poor base image selection consistent with a medium-maturity practice.