Majority of Organizations Impacted by Software Supply Chain Attacks Over the Past Year, with Many Struggling to Detect and Respond
A recent report from Synopsys Software Integrity Group and Ponemon Institute reveals that 54% of global organizations suffered software supply chain attacks in the past year.
Many struggle to detect and respond, with 50% taking over a month to react. AI usage in code generation is prevalent, yet only 32% evaluate AI-generated code for risks.
Alarmingly, only 39% of leaders are committed to reducing software supply chain risks, and resources are often insufficient. Notably, just 35% of organizations implement Software Bills of Materials (SBOMs), critical for security.
Open source vulnerabilities are high, with 65% using it but less than half securing it effectively.
- 54% of organizations recognize the risk and are aware of software supply chain attacks.
- AI tools like OpenAI Codex, ChatGPT, and GitHub Copilot are widely used, enhancing development efficiency.
- 45% of security professionals report increased investment in software supply chain security post incidents like SolarWinds.
- 50% of organizations use SBOMs for general dependency and vulnerability management.
- 50% of organizations took more than a month to respond to software supply chain attacks.
- One in five organizations is ineffective in detecting and responding to attacks.
- Only 32% of organizations evaluate AI-generated code for license, security, and quality risks.
- A mere 39% of leaders are highly committed to reducing software supply chain risks.
- Only 38% find resources dedicated to securing the supply chain sufficient or very sufficient.
- 65% of respondents use open source software, but less than 47% secure it effectively in the supply chain.
Insights
The findings from Synopsys and the Ponemon Institute underscore a critical issue: the fragility of software supply chains. The fact that 54% of organizations experienced a software supply chain attack in the past year points to a widespread vulnerability that needs urgent attention. One concerning aspect is the 50% of organizations taking over a month to respond to these attacks, highlighting significant gaps in their incident response strategies. This delay increases the potential damage, as attackers can exploit these windows of opportunity to deploy malware or steal sensitive data.
Another alarming statistic is that only 32% of organizations have processes to evaluate AI-generated code, despite the rising adoption of AI tools like OpenAI Codex, ChatGPT and GitHub Copilot. AI can streamline development but it also introduces new risks, particularly if the generated code isn't scrutinized for security and quality.
Software Bills of Materials (SBOMs) are vital in maintaining transparency and security in the supply chain. However, with only 35% of organizations producing them, there's a clear lack of consistent practices. SBOMs help in identifying and managing dependencies and vulnerabilities, which is important given the pervasive use of open-source software, as noted by 65% of respondents.
For investors, this data indicates a growing market for robust cybersecurity solutions, particularly those focusing on supply chain security. Companies that can innovate in this space may see increased demand as organizations look to bolster their defenses.
The report from Synopsys and the Ponemon Institute not only highlights significant vulnerabilities in the software supply chain but also points to potential financial implications. When organizations delay response to attacks, the costs of breaches can escalate quickly. For instance, prolonged exposure can lead to more extensive data loss, regulatory fines and reputational damage, all of which can significantly affect an organization's financial health.
According to the report, only 38% of security professionals believe their organizations have sufficient resources dedicated to securing the supply chain. This suggests a potential increase in future cybersecurity spending. However, the slow adoption of critical measures like SBOMs and AI code evaluation processes indicates a gap that needs to be filled, representing a market opportunity for cybersecurity firms.
Investors should watch for companies that are proactively addressing these issues, as they are likely to perform better in the long term. Firms investing in comprehensive security measures may not only protect themselves better but could also save on costs associated with breaches and regulatory penalties.
Overall, this report suggests that the market for cybersecurity solutions, especially those targeting supply chain security, is likely to grow. Investors should consider companies with a strong focus on innovation in this area.
More than half (
The data also shows that AI is becoming ubiquitous across the software development life cycle. The majority of security professionals (
Survey respondents also cited a worrisome lack of commitment from decision-makers when mitigating these issues. Only
"Supply chain attacks are becoming more prevalent across organizations globally, yet this report highlights the sustained weaknesses in existing software development processes and security standards," said Jason Schmitt, general manager, Synopsys Software Integrity Group. "Attackers are getting more sophisticated and thus finding more weaknesses that allow them to explore a supply chain where they can steal sensitive data, plant malware, and control systems. Particularly with the rise of AI-generated code, security teams need to maintain visibility into applications, and continuously evaluate IP, security threats, and code quality to reduce risk."
Additional key findings include:
- Organizations forgoing SBOM implementation: Software Bills of Materials (SBOMs) are critical to ensuring a secure software supply chain but only
35% of security professionals say their organizations produce them. Furthermore, only40% say they immediately stop the use of software if the supplier doesn't provide a requested SBOM. The main reasons organizations generate SBOMs are general dependency and vulnerability management (50% ), industry regulations (39% ), customer requirements (38% ), and government requirements (38% ). - Open source vulnerabilities remain a huge risk: Nearly two-thirds (
65% ) of respondents say they use open source software, although less than half of respondents (47% ) say their organizations are very or highly effective in securing it in the supply chain.
To learn more, download a copy of "The State of Software Supply Chain Security Risks" report, read the blog post or register for the May 23 webinar.
Methodology
The survey collected responses from 1,278 IT and IT security practitioners who are in organizations that are committed to achieving a secure software supply chain and have some level of responsibility for their organizations' software supply chain security strategy. The regions and countries in this research are
About the Synopsys Software Integrity Group
Synopsys Software Integrity Group provides integrated solutions that transform the way development teams build and deliver software, accelerating innovation while addressing business risk. Our industry-leading portfolio of software security products and services is the most comprehensive in the world and interoperates with third-party and open source tools, allowing organizations to leverage existing investments to build the security program that's best for them. Only Synopsys offers everything you need to build trust in your software. Learn more at www.synopsys.com/software.
About Synopsys
Catalyzing the era of pervasive intelligence, Synopsys, Inc. (Nasdaq: SNPS) delivers trusted and comprehensive silicon to systems design solutions, from electronic design automation to silicon IP and system verification and validation. We partner closely with semiconductor and systems customers across a wide range of industries to maximize their R&D capability and productivity, powering innovation today that ignites the ingenuity of tomorrow. Learn more at www.synopsys.com.
Editorial Contact:
Liz Samet
Synopsys, Inc.
336-414-6753
esamet@synopsys.com
View original content to download multimedia:https://www.prnewswire.com/news-releases/majority-of-organizations-impacted-by-software-supply-chain-attacks-over-the-past-year-with-many-struggling-to-detect-and-respond-302146715.html
SOURCE Synopsys, Inc.
FAQ
What percentage of organizations suffered software supply chain attacks in the past year?
How long do organizations typically take to respond to software supply chain attacks?
What AI tools are commonly used in software development?
What percentage of organizations evaluate AI-generated code for risks?
What is the level of commitment from leaders to reduce software supply chain risks?
How many organizations produce Software Bills of Materials (SBOMs)?
What percentage of organizations use open source software?
Are organizations effective in securing open source software in the supply chain?
Has there been an increase in investment in software supply chain security?
What are the main reasons for generating SBOMs?
