Software Supply Chain Maturity

 

Software supply chain maturity - peer insights

In this year's report, we dive into insights gleaned from 621 enterprise engineering professionals, providing invaluable perspectives on software supply chain management and organizational development practices. Our analysis draws from a comprehensive survey that explored the multifaceted landscape of software supply chain management, including the utilization of open source software (OSS) components, dependency management, governance, approval processes, and tooling. The survey also covered questions related to development practices, demographics, and job satisfaction levels, culminating in a more holistic view of software supply chain maturity at an enterprise and industry level.

Expanding horizons

Over the last decade, the software supply chain landscape has experienced rapid and significant changes. In the past year alone, the emergence of generative AI capabilities and introduction of global regulatory initiatives spurred modernization efforts in software development across industries. 

To further understand this ever-evolving landscape, we marry last year’s findings with what’s changed today. We explore interesting year-over-year (YoY) trends, examine the growing demand for software bills of materials (SBOMs), and identify key practices aimed at not wasting developer time. Furthermore, we take a deeper look at companies affected by open source risk, particularly those who have experienced security breaches. Through this investigation, we aim to shed light on how these organizations may differ from their peers and provide insights into bolstering security measures within the software supply chain.

Continuing objectives and methodologies

Consistent with our approach in previous editions, this chapter maintains two core objectives:

• Provide a benchmark and maturity model that enables organizations to assess their practices in comparison to their industry peers.
• Determine if reported software supply chain practices align with desirable outcomes.

To evaluate responses to the comprehensive survey, we will examine them within the framework of eight themes of mature software supply chain management practices:

 

How mature are today’s software supply chains?

We've distilled and presented collective insights from the 621 surveyed individuals in Figure 4.1. To develop this summary, we averaged each individual’s responses on questions that align with the eight themes. In each theme, we scored the responses from 1 to 5, corresponding to the five stages of software supply chain maturity. From Unmanaged (least mature) to Monitor & Measure (most mature), as noted in Figure 4.2.

 

Perception is disconnected from reality – again 

In last year’s survey, the data showed a notable pattern: respondents tended to self-report a higher level of software supply chain maturity than their actual stage of advancement, leaving many with an inflated sense of security. This trend persists into this year’s findings.

Overall, this year’s survey reveals that respondents generally demonstrated lower levels of maturity in the Digital Transformation theme and higher levels of maturity in Remediation. This consistent year-over-year trend underscores a fascinating disparity between how survey respondents self-assess their progress in actively addressing vulnerabilities (indicative of higher maturity) versus their capacity to garner essential buy-in, sponsorship, training, and operational processes for effective remediation (reflecting lower maturity).

From this, a striking statistic emerges: 67% of respondents feel confident that their applications do not rely on known vulnerable libraries. However, nearly 10% of respondents reported that their organizations had security breaches due to open source vulnerabilities in the last 12 months, while 20% were unsure if their organization had been breached. Pair this with the objective information we saw in Chapter 1 – that 1 in 8 open source downloads have a known vulnerability – and it’s clear that no matter how we look at it, there continues to be a software supply chain management problem.

In addition, aside from remediation and application inventory, most respondents received ratings below the "4 - Control" level of maturity. The Control level represents a crucial milestone, where organizations move from a phase of uncertainty to a minimal level of maturity that enables the production of high-quality outcomes. Notably, the three maturity levels preceding Control (Unmanaged, Exploration, Ad Hoc) are considered suboptimal and predominantly received the bulk of survey responses.

To get a sense of how your organization compares, take this short quiz on software supply chain maturity.

How have software supply chain management trends changed?

The software supply chain plays a vital role in modern development processes. Understanding its dynamics is crucial for mitigating risk and ensuring operational efficiency. This section unveils key insights from our survey of engineering professionals, offering a comparative analysis of this year’s responses to those of the previous year. By analyzing these year-over-year trends, we gain a clear view of significant changes and evolutions in the landscape of the software supply chain.

Finding #1: Increased focus on open source risk 

In a landscape marked by the growing volume of open source, efficiency in software development is the key to not wasting developer time. This year, our survey results highlighted the interplay between effective tools, developer satisfaction, and optimized work processes. Respondents reported an increase in the use of integrated tooling (+9.8%), growing awareness of and focus on open source risk (+9.3%), improved dependency upgrade decisions (+9.6%), and greater comfortability in software supply chain management (+77%) - all of which point to a maturing market and an increasing industry-wide understanding of the downstream threats vulnerable open source poses.

Changes in supply chain management trends

ADOPTION OF INTEGRATED TOOLING

One notable trend observed this year is a decline in the reliance on ad-hoc reports for obtaining risk information about open source libraries. A substantial decrease of 14.5% was recorded among respondents who received reports from external sources. However, a corresponding 9.8% increase was found in the integration of risk information into continuous integration (CI) and build processes. This shift aligns with the changing preferences, where more professionals now favor obtaining risk information within their existing workflows, rather than relying on separate reports.

 

GROWING FOCUS ON OPEN SOURCE RISK

Another interesting finding: open source is very much a focus for engineering teams, and is a growing one at that. There was a significant increase in respondents disagreeing with the statement that "open source risk is not currently a focus" for their organization (9.3%), and likewise, a decrease in those agreeing (-9.6%). 

 

IMPROVED UPGRADE DECISIONS

Respondents reported a decreasing number of times that dependency upgrades "always/often/frequently" broke the functionality of their application, and an increase in the number of times dependency upgrades rarely or never broke their application's functionality. Not only does this point to respondents getting better at handling dependency upgrades and avoiding breaking changes, it also shows a deeper understanding of open source hygiene. 

 

GREATER COMFORT EQUALS GREATER EFFICIENCY

Overall, respondents felt more comfortable and familiar with topics surrounding software supply chain management this year. There was a 7.7% increase in those that kept up with software supply chain trends.

However, in line with the chapter's earlier findings, a broader lack of overall maturity and efficiency in software supply chain management persists. While the focus on open source risk has intensified, this year’s findings revealed a decline in the use of automated open source processes, a lack of well-defined processes, and a lower number of respondents that follow their organization's open source approval procedures. In other words, organizations continue to grapple with immature practices that waste time and resources – weighing teams down and slowing development.

A year-over-year decrease in agreement (9.5%) and increase in disagreement (3.4%) with the statement "We have executive sponsorship" underscores that achieving software supply chain maturity necessitates not only effective tools but also strong organizational support.

In summary, although there is an increased focus on and awareness of open source risk, organizations have ample ground to cover in implementing best practices for mitigating these risks effectively.

Finding #2: Rise in demand for software bills of materials

Thanks to mandates outlined in President Biden's Executive Order 14028, Improving the Nation’s Cybersecurity and growing global regulatory efforts, one open source best practice that is experiencing a growth in adoption is the use of an SBOM.

An SBOM serves as a comprehensive inventory, outlining the various components and dependencies of a software application. It provides a detailed list of the software's building blocks, including open source and third-party libraries, along with their respective versions. This document serves as a critical resource for understanding and managing the software supply chain. By enabling developers and organizations to accurately track and assess the security and licensing aspects of software components, SBOMs play a vital role in software development, cybersecurity, and regulatory compliance. SBOMs provide transparency and visibility into software composition, thereby facilitating efficient risk management, enhancing vulnerability response, and supporting effective software maintenance. Ultimately, while the creation of SBOMs themselves doesn’t equate to security, the adoption of SBOMs contributes to building secure, reliable, and trustworthy software systems, benefitting both software producers and consumers. 

This year, we took a deeper look at the usage and demand for SBOMs. Findings revealed that nearly 53% of the surveyed engineering professionals reported they are generating an SBOM for every application (Figure 4.3). Notably, respondents who adopted this practice were less likely to report security breaches.

However, when we contrast this with survey results from cybersecurity leaders at large enterprises (over £50 million/$50 million annual revenue), we observed that 75% of these leaders reported generating SBOMs for their applications. Compared to the 53% reported by engineering professionals in our general survey, this discrepancy underscores the heightened demand for SBOMs at larger enterprises. Although, this finding also might just track with last year’s data that revealed how managers often report higher stages of maturity compared to other roles. Compared to respondents working in information security, IT managers were 1.8 times more likely to strongly agree with the statement "We know the Software Bill of Materials (SBOM) for every application."

In addition, nearly half of the respondents have started asking vendors to supply SBOMs for purchased software, underscoring a higher demand for increased transparency in software supply chains.

Finding #3: The critical connection of hygiene and speed in risk mitigation

This year, we investigated how organizations have been impacted by open source risk, particularly those that have experienced security breaches. 

Our analysis revealed a connection between security breaches and suboptimal management practices such as:

• deploying every change directly to production;
• breaking the functionality of their applications with dependency upgrades; and
• adhering to an entirely waterfall development practice.

Additionally, organizations that experienced breaches exhibited delayed awareness and mitigation of vulnerability risks. Breached organizations were 2.9x more likely to take over six months to become aware of open source vulnerabilities after their discovery, and 1.7x more likely to report never fixing a vulnerability.

Overall, our survey revealed that only 22% of organizations become aware of new open source vulnerabilities within a day of disclosure. Thirty-nine percent (39%) discover them within one to seven days, and 28% take over a week to become aware.

The same survey found that 39% of respondents require over a week to mitigate vulnerabilities (Figure 4.4). This means that the majority of bad actors have days to launch a malicious attack on enterprise targets.

In the context of organizations grappling with security breaches, these findings emphasize the critical connection between maintaining strong hygiene practices and swift risk mitigation. Organizations that have already embarked on the journey to software supply chain maturity are better-equipped to effectively manage open source risks. With advanced software supply chain maturity, these organizations apply streamlined processes for identifying, responding to, and resolving vulnerabilities, significantly reducing the vulnerability window and contributing to their overall maturity.

For organizations navigating the complexities of open source risk and striving for swift mitigation, the path to software supply chain maturity emerges as a pivotal strategy. This enables them to enhance their resilience, ultimately fortifying their security posture and safeguarding against potential breaches.

These findings align with the eight themes of software supply chain management outlined at the beginning of this section. These themes encompass practical strategies aimed at not only enhancing security but also at optimizing developer productivity and reducing the waste of developer time. The journey toward software supply chain maturity is not just a path to enhanced security — it’s also a path to stop wasting developer time. By improving software supply chain maturity, organizations create an environment in which developers can focus on innovation, leading to more resilient and secure software.

The journey toward software supply chain maturity is not just a path to enhanced security — it’s also a path to stop wasting developer time. By improving software supply chain maturity, organizations create an environment in which developers can focus on innovation, leading to more resilient and secure software.