ESG research reveals software supply chain incident in past year

Data Theorem, Inc., a leading provider of modern application security, today announced the "The Growing Complexity of Securing the Software Supply Chain"1 report in partnership with Enterprise Strategy Group (ESG). The study found that the overwhelming majority of organizations (91%) have experienced a software supply chain incident in the past 12 months.

The most common security incidents over this period were:

  • Exploit (41%): zero-day exploit on vulnerabilities within third-party code
  • Exploit (40%): misconfigured cloud service exploits
  • Exploit (40%): vulnerability exploits in open-source software and container images
  • Secrets (37%): secrets/token/passwords stolen from source code repositories
  • Data Breach (35%): API data breaches in third-party software and code

To gather data for this report, ESG surveyed more than 350 respondents from private- and public-sector organizations in North America (US and Canada) across cybersecurity professionals (~39%), application developers (~32%), and IT professionals (29%) responsible for evaluating, purchasing, and utilizing developer-focused security products. 

In a related finding, study results also revealed that 88% of organizations feel it's critical or important to have accurate inventory of their third-party APIs and cloud services as it relates to software supply chain security. This is followed by 86% of organizations stating it's critical or important to know the composition/inventory of application code in use (e.g., OSS, third-party or custom), where code is stored, and who has access to code components connected to their code.

"Because of the massive number of suppliers and partners, continuous discovery of components across the software supply chain is a major challenge; in fact from our survey the overwhelming majority (88%) of organizations state the importance and criticality of having an accurate inventory of their third-party APIs and cloud services," said Melinda Marks, Practice Director, Cybersecurity, for Enterprise Strategy Group. "While it's understood SBOMs are important to software supply chain security, most organizations are challenged with creating and maintaining current SBOMs. Organizations need continuous runtime scanning, discovery and inspection of open-source components, third-party libraries, and APIs in source code to best secure their applications."