A new research, conducted by Enterprise Strategy Group (ESG) and commissioned in part by the Synopsys Software Integrity Group, highlights the prevalence of software supply chain risks in cloud-native applications. In response to software supply chain attacks such as Log4Shell, SolarWinds, and Kaseya, 73% of respondents say they have increased their efforts significantly to secure their organizations’ software supply chain through a variety of security initiatives.
These initiatives include the adoption of some form of strong multifactor authentication technology (33%), investment in application security testing controls (32%), and improved asset discovery to update their organization’s attack surface inventory (30%). Despite those efforts, 34% of organizations report that their applications have been exploited due to a known vulnerability in open source software (OSS) within the last 12 months, with 28% having suffered a previously unknown (“zero-day”) exploit found in open source software.
As the scale of OSS usage increases, its presence in applications will naturally increase as well. Current pressure to improve software supply chain risk management has placed a spotlight on Software Bills of Materials (SBOMs). But exploding OSS usage and lackluster OSS management has made the compilation of SBOMs complex—as confirmed in the ESG research, which shows that 39% of survey respondents marked this task as a challenge of using OSS.
While open source software may be the original supply chain concern, the shift toward cloud-native application development has organizations concerned about the risks posed to additional nodes of their supply chain. This includes not only additional aspects of source code, but also how cloud-native applications are stored, packaged, and deployed, as well as how they interface with one another through application programming interfaces (APIs). Nearly half (45%) of survey respondents identified APIs as the vector most susceptible to attack, along with data storage repositories (42%) and application container images (34%).
Nearly all (99%) of respondents said their organizations either currently use, or plan to use, OSS within the next 12 months. While concerns exist with the maintenance, security, and trustworthiness of these open source projects, the top concern relates to the scale at which open source is being leveraged within application development. Fifty-four percent of organizations list “having a high percentage of application code that is open source” as their primary concern.
Survey findings also suggest that although developer-focused security and “shifting left”—a concept focused on enabling developers to conduct security testing earlier in the development lifecycle—is growing among organizations building cloud-native applications, 97% of organizations have experienced a security incident involving their cloud-native applications within the last 12 months.