Data Theorem: 91% of organizations have experienced a software supply chain incident in past 12 months

Feb. 12, 2024
The study found that the overwhelming majority of organizations (91%) have experienced a software supply chain incident in the past 12 months.

PALO ALTO, Calif., Feb. 12, 2024 – Data Theorem, Inc., a leading provider of modern application security, today announced the “The Growing Complexity of Securing the Software Supply Chain”1 report in partnership with Enterprise Strategy Group (ESG). The study found that the overwhelming majority of organizations (91%) have experienced a software supply chain incident in the past 12 months.The most common security incidents over this period were:

  • Exploit (41%): zero-day exploit on vulnerabilities within third-party code
  • Exploit (40%): misconfigured cloud service exploits
  • Exploit (40%): vulnerability exploits in open-source software and container images
  • Secrets (37%): secrets/token/passwords stolen from source code repositories
  • Data Breach (35%): API data breaches in third-party software and code

To gather data for this report, ESG surveyed more than 350 respondents from private- and public-sector organizations in North America (US and Canada) across cybersecurity professionals (~39%), application developers (~32%), and IT professionals (29%) responsible for evaluating, purchasing, and utilizing developer-focused security products.

In a related finding, study results also revealed that 88% of organizations feel it’s critical or important to have accurate inventory of their third-party APIs and cloud services as it relates to software supply chain security.

This is followed by 86% of organizations stating it’s critical or important to know the composition/inventory of application code in use (e.g., OSS, third-party or custom), where code is stored, and who has access to code components connected to their code.

“Because of the massive number of suppliers and partners, continuous discovery of components across the software supply chain is a major challenge; in fact from our survey the overwhelming majority (88%) of organizations state the importance and criticality of having an accurate inventory of their third-party APIs and cloud services,” said Melinda Marks, Practice Director, Cybersecurity, for Enterprise Strategy Group. “While it’s understood SBOMs are important to software supply chain security, most organizations are challenged with creating and maintaining current SBOMs. Organizations need continuous runtime scanning, discovery and inspection of open-source components, third-party libraries, and APIs in source code to best secure their applications.”

When asked about top priority investments in software supply chain security over the next 12 to 18 months, the majority (44%) see scanning open source code components and third-party libraries for vulnerabilities as the top priority, followed by discovering and inspecting APIs in source code (39%), and creating an SBOM via composition analysis (38%); while more than a third of organizations see investing in applying runtime API security controls as a top priority.

“The emergence of cloud-native applications and a growing reliance on third-party APIs and cloud services have fundamentally altered the software supply chain security challenge by introducing new attack surfaces that have already been exploited and are poised to remain in the crosshairs of hackers and cyber-criminal activity,” said Doug Dooley, Data Theorem COO. “Failure to adapt to these supply chain security problems not only puts sensitive data and applications at risk but also threatens to erode the trust and integrity enterprise customers have built their business on. This ESG report highlights some of the important lessons we must learn and improve upon going forward in 2024 and beyond.”

For a free copy of ESG’s “The Growing Complexity of Securing the Software Supply Chain” report, see https://www.datatheorem.com/resources/reports/securing-the-software-supply-chain-by-enterprise-strategy-group-esg.

Note 1 – Source: Enterprise Strategy Group, a division of TechTarget Inc. Research eBook, The Growing Complexity of Securing the Software Supply Chain, February 2024.