State of Software Supply Chain Security
In October 2021 nearly 1500 software professionals like you shared with us how secure their use of open source is. We’ve crunched the numbers and pulled out what should matter to organizations in 2022.
Use this report to see what works, what doesn’t, and how you can implement best practices that can ensure the security and integrity of your software supply chain.
#1. Building From Source But Not Securely
Almost 80% of the organizations surveyed build some or most components from source, but only 22% can create reproducible builds.
Without reproducibility, no built artifact can be deemed secure since there is no way to verify if the source code was compromised when the original build was produced. As a result, these organizations could be using compromised code and never know it until they (or their customers) get hacked.
Lacking reproducibility, what are organizations doing to help ensure the integrity and security of open source builds?
#2. We’ve Got Trust Issues
A worryingly high proportion of organizations (more than 30%) continue to implicitly trust open source repositories.
Even though open source organizations are making great strides to improve the security of their public repositories, the reality is that they are still the wild west where anything goes. Implicitly trusting open source components from public repositories exposes organizations to security risks, including typosquatting, dependency confusion, and prebuilt binaries that may contain malware.
How can organizations trust but verify the open source they import?
#3. Roll Up Your Sleeves
More than 60% of survey participants scored poorly, pointing to the general insecurity of the existing software supply chain. Worse, the implementation rate of best-practice security and integrity controls simply does not match the growing supply chain threat.
Integrating multiple point solutions and custom code can be both costly and time-consuming, as evidenced by the fact that larger enterprises have made more headway here than smaller organizations. Much more work needs to be done in 2022 to ensure software development organizations and their downstream customers can credibly avoid being compromised by bad actors.
How do your supply chain security implementations compare with the organizations that participated in our survey?
Did you know the ActiveState Platform could work like a turnkey software supply chain solution for you and your team?
Contact us for a demo
Want to get a free demo to see how it works for your security needs? Send a message to our team who can help you better understand our Platform and how it can integrate with your existing workflow.
Use your free or paid Platform Account to try it yourself
Use your email or GitHub credentials to sign up (if you haven’t already) and start using the ActiveState Platform’s Web GUI or CLI tooling right away.