Survey Report: State of Software Supply Chain Security
Some key takeaways are provided below. Get a copy of the complete report to find more insights and useful tips.
#1. Building From Source But Not Securely
Almost 80% of the organizations surveyed build some or most components from source, but only 22% can create reproducible builds.
Without reproducibility, no built artifact can be deemed secure since there is no way to verify if the source code was compromised when the original build was produced. As a result, these organizations could be using compromised code and never know it until they (or their customers) get hacked.
Lacking reproducibility, what are organizations doing to help ensure the integrity and security of open source builds? Get the complete report to find out.
#2. We’ve Got Trust Issues
A worryingly high proportion of organizations (more than 30%) continue to implicitly trust open source repositories.
Even though open source organizations are making great strides to improve the security of their public repositories, the reality is that they are still the wild west where anything goes. Implicitly trusting open source components from public repositories exposes organizations to security risks, including typosquatting, dependency confusion, and prebuilt binaries that may contain malware.
How can organizations trust but verify the open source they import? Get the complete report to find out.
#3. Roll Up Your Sleeves
More than 60% of survey participants scored poorly, pointing to the general insecurity of the existing software supply chain. Worse, the implementation rate of best-practice security and integrity controls simply does not match the growing supply chain threat.
Integrating multiple point solutions and custom code can be both costly and time-consuming, as evidenced by the fact that larger enterprises have made more headway here than smaller organizations. Much more work needs to be done in 2022 to ensure software development organizations and their downstream customers can credibly avoid being compromised by bad actors.
How do your supply chain security implementations compare with the organizations that participated in our survey? Get the complete report to find out.
Looking for a turnkey software supply chain solution for you and your team?
The ActiveState Platform is available for developers and professionals to try for free.
Want to get a free demo to see how it works for your security needs? Send a message to our team who can help you better understand our Platform and how it can integrate with your existing workflow.
How to try the ActiveState Platform for your Python, Perl and Tcl projects?
Developers can sign up for our Platform and use it to build a runtime environment for their Python or Perl projects right away. Or they can install it via the command line using the snippet provided here.