- 65% of organizations have faced supply chain attacks in the past year
- Adoption of GenAI compounds risks; only 24% analyze AI-generated code for security or IP issues
- Compliance and continuous automation improve the speed of remediation and the effectiveness of defense.
The software supply chain, a comprehensive network of components, tools and processes used to develop, build and deliver software, has become a popular new attack surface, providing cybercriminals with the ability to bypass standard defenses and reap disproportionate rewards from a single compromise.
That’s according to “Navigating Software Supply Chain Risk in a Rapid-Release World,” an in-depth new report from application security company Blackduck.
Based on a survey of 540 software security leaders, the report indicates that two-thirds (65%) of organizations have experienced at least one attack on their supply chain in the past 12 months.
Compliance is key
These incidents are becoming increasingly multifaceted, with organizations reporting malicious dependencies (30%), unpatched vulnerabilities (28%), zero-day exploits (27%), and malware injections into build pipelines (14%).
The speed at which generative artificial intelligence (GenAI) is being adopted in businesses is only making matters worse. Blackduck claims that almost all organizations (95%) now leverage AI tools for software development (mainly ChatGPT), but security protocols are not keeping up. Confidence in the tool is high, while actual verification is alarming.
In fact, only a quarter (24%) of organizations analyze AI-generated code for things like intellectual property, licensing, security or quality risks. According to the report, this leaves plenty of room for supply chain vulnerabilities, including the introduction of copyrighted intellectual property or the exposure of sensitive API keys.
To strengthen your defenses, you need to think carefully about compliance. Blackduck says that, contrary to popular belief, a compliance-first approach actually speeds up security response times.
There appears to be a clear correlation between robust compliance controls and the speed of remediation, and 54% of organizations using four or more types of compliance controls act on critical vulnerabilities significantly faster than 45% of all respondents.
Additionally, automation appears to be non-negotiable. Relying on periodic manual monitoring, as around 36% of respondents currently do, is widely considered insufficient. At the same time, organizations with automatic continuous monitoring are described as “much more effective”.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
