Published: December 9, 2021 Last Updated: January 10, 2022

Survey Report: State of Software Supply Chain Security

In October 2021 nearly 1500 software professionals like you shared with us how secure their use of open source is. We’ve crunched the numbers and pulled out what should matter to organizations in 2022.

Use this report to see what works, what doesn’t, and how you can implement best practices that can ensure the security and integrity of your software supply chain.

The survey report provides a detailed analysis of  each of the 7 questions asked which can help readers understand what wary organizations are doing to limit their exposure to potentially malicious or compromised software they might be introducing within their software development processes, other than just addressing vulnerabilities.

Some key takeaways are provided below. Get a copy of the complete report to find more insights and useful tips.

#1. Building From Source But Not Securely

Almost 80% of the organizations surveyed build some or most components from source, but only 22% can create reproducible builds.

Without reproducibility, no built artifact can be deemed secure since there is no way to verify if the source code was compromised when the original build was produced. As a result, these organizations could be using compromised code and never know it until they (or their customers) get hacked.

Lacking reproducibility, what are organizations doing to help ensure the integrity and security of open source builds? Get the complete report to find out.

#2. We’ve Got Trust Issues

A worryingly high proportion of organizations (more than 30%) continue to implicitly trust open source repositories.

Even though open source organizations are making great strides to improve the security of their public repositories, the reality is that they are still the wild west where anything goes. Implicitly trusting open source components from public repositories exposes organizations to security risks, including typosquatting, dependency confusion, and prebuilt binaries that may contain malware.

How can organizations trust but verify the open source they import? Get the complete report to find out.

#3. Roll Up Your Sleeves

More than 60% of survey participants scored poorly, pointing to the general insecurity of the existing software supply chain. Worse, the implementation rate of best-practice security and integrity controls simply does not match the growing supply chain threat.

Integrating multiple point solutions and custom code can be both costly and time-consuming, as evidenced by the fact that larger enterprises have made more headway here than smaller organizations. Much more work needs to be done in 2022 to ensure software development organizations and their downstream customers can credibly avoid being compromised by bad actors.

How do your supply chain security implementations compare with the organizations that participated in our survey? Get the complete report to find out.


Looking for a turnkey software supply chain solution for you and your team?

The ActiveState Platform is available for developers and professionals to try for free.

Want to get a free demo to see how it works for your security needs? Send a message to our team who can help you better understand our Platform and how it can integrate with your existing workflow.

Contact us for a demo

How  to try the ActiveState Platform for your Python, Perl and Tcl projects?

Developers can sign up for our Platform and use it to build a runtime environment for their Python or Perl projects right away. Or they can install it via the command line using the snippet provided here.

Upto 5 Active Runtimes per organization (or per individual, if for personal use) are free. For information on team tier or enterprise pricing, refer to our Platform Pricing or else contact Sales.

Get a Copy of the Survey Report



Suhani S