According to Chainguard, a majority of both developers and CISOs consider software supply chain security a top priority in their role (70% and 52% respectively).
However, there is a clear divide and even some distrust between CISOs and developers regarding how security-conscious each department within the organization is, who is responsible for preventing and mitigating security issues, how well CISOs understand developers’ day-to-day tools. and how well developers understand the risks associated with aspects of their work and the tools they use.
“Finding alignment between developers and security leaders on software supply chain security is a difficult challenge for even the best-resourced and staffed organizations,” said Kim Lewandowski, CPO at Chainguard. “The report’s findings reflect the tension in the security landscape as organizations rethink how to maintain developer speed and the benefits of open source technology, while closing the gap on a new class of vulnerabilities that have created software supply chains . ”
CISOs emphasize software security in their threat mitigation strategy
72% of software developers say they are very security conscious in their role, while only 50% of CISOs rate software developers as very security conscious.
Only 43% of developers believe that CISOs are “very familiar” with how container images fit into their work, which is low compared to other aspects of how developers view their security team when it comes to understanding their work: open-source software libraries and projects (61%), source code repositories and source code management systems (60%), and software building tools (59%).
The report shows that 92% of developers say software supply chain security is at least very important to their daily work and development processes, while 39% consider it absolutely essential. 93% of CISOs cite effective software security as a critical part of their organization’s maturity and threat and risk mitigation strategy, and 96% say effective software security practices are important to meet government or regulatory requirements.
36% of CISOs and 34% of developers report that an overwhelming number of false positive vulnerability alerts from scanners are among the biggest obstacles an organization faces in ensuring software supply chain security. Both groups also cite the consumption of vulnerable software and a lack of cohesion between CISOs and developers as top barriers to software supply chain security.
Lack of communication and collaboration between developers and security teams
69% of CISOs and 64% of developers agree that lack of communication and collaboration between developers and security teams is a problem. Despite the tension present, both teams agree that it is absolutely essential that software security best practices and tools result in certain business outcomes, including customer retention (43% and 40% respectively), meeting or fulfilling contract obligations (36 % and 40%). 32%), fewer breaches or compromises (34% each) and developer/engineer productivity (32% and 34%).
“Developers and CISOs are juggling numerous security priorities, which often conflict across organizations,” said Luke Shoberg, Global CISO at Sequoia Capital. “The report highlights the need for internal reviews, fostering deeper collaboration and building trust between teams managing this critical domain. Organizations have recognized technical and cultural barriers and have made significant progress in understanding the importance of securing the software supply chain for sustainable business success.”
“The world of software consumption and security has changed radically. From containers to the explosion of open source components, every move is aimed at empowering developers to build faster and better,” said Avon Puri, Global Chief Digital Officer at Sequoia Capital.
“But with those advances, the security paradigm is being challenged to refocus on better controls and assurances about where software artifacts come from and that their integrity is preserved. The research shows that developers and security teams are grappling with this new reality in the wake of major exploits like Log4j and SolarWinds. There is near-universal awareness of the challenges, but there is still a lot of uncertainty about how best to solve them in the context of trust and collaboration to secure modern toolchains and developer workflows,” said Puri.
Security risks in an age of constant software changes
Developers have already struggled with the natural tension between “build fast and break things” and the “shift-left” security movement. At the same time, CISOs are under immense pressure to maintain the security and compliance of their organizations amid increasing supply chain threats.
According to the report, 77% of CISOs and 68% of developers agree that the need to prioritize security creates tensions between their teams. The report shows that developers don’t want their daily productivity to be affected by security tools or requirements. 82% agree that software supply chain security practices should not make it harder for them to get their work done.
Tooling also adds to the tension: 73% of developers agree that the work/tools their security team expects them to use hinders their productivity and innovation.
While the industry has closed some of the gaps in the old world of software consumption, today the new modern reality faces even more open source software, including an explosion of open source software, constant upgrades and patches, and new types of exploits that target on software artifacts, images, and build systems.
Software supply chain security frameworks – such as Supply-chain Levels for Software Artifacts (SLSA) and the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF) – have matured quickly and given security teams methods for how they approach policy and supervision. while developers are given more prescribed best practices.
Organizations are preparing for future shifts in software supply chain security
According to the report, in line with the importance developers and CISOs already place on software supply chain security, most developers and CISOs say their organizations already have a number of tools in place to address software supply chain security. These include the adoption of SBOMs (40%) and almost half implementing software supply chain security frameworks such as SLSA (47%) and SSDF (47%).
In addition to the existing adoption of software supply chain security tools and frameworks, CISOs and developers expect to see changes in software supply chain security in their organizations over the next five years.
The majority believe that prioritization of software supply chain security will increase over the next five years (85% among developers, 74% among CISOs), with nearly a third of developers saying this will increase significantly (32% and 22 % among security companies). leaders).
CISOs are taking a slightly more measured approach, with 23% expecting their company’s approach to remain the same (vs. 15% among developers). This somewhat tempered view of security decision-makers’ prioritization could be due to their own greater involvement and visibility into long-term security strategy decisions.