Software supply chain security a “greater concern” than generative AI

Major disconnect exists between security and development teams

Add bookmark

Michael Hill
12/07/2023

a bearded man in black suit with his hands on his head

Security professionals are more concerned about software supply chain security blind spots than generative AI risks, according to a new report from security firm Cycode. The vendor surveyed 500 enterprise security professionals in the US, with 78 percent stating that today’s application security (AppSec) attack surfaces are unmanageable.

Tool sprawl and crowded tool stacks are significant contributors to the software supply chain security challenges organizations face, while overwhelmed security and development teams aren’t working well together to address problems, according to the State of ASPM Report.

Software supply chain security threats are a major issue for organizations across sectors. In May, Juniper Research predicted that the costs of software supply chain attacks could exceed US $46 billion this year alone, with losses attributed to software supply chain attacks expected to reach almost $81 billion by 2026. The recent 3CX hack is a prime example of the risks posed by cascading software supply chain compromises.

Software supply chain security is biggest concern

Software supply chain blind spots were cited as the biggest security concern by 72 percent of those surveyed, just pipping generative AI, which was cited by 71 percent. Open source components, cloud and containers and CI/CD pipeline blind spots were the next most flagged security concerns, each on 69 percent. The fact that security professionals are more concerned about software supply chain risks than generative AI threats is telling as the impact of the technology on cyber security continues to make headlines.

In August, research from Deep Instinct revealed that threat actors’ use of generative AI has fueled a significant rise in attacks worldwide in the last year, while Google recently warned that generative AI language models (LLMs) will be used by cyber criminals to greatly enhance the effectiveness and scale of social engineering attacks in 2024.

Security professionals plagued by alert fatigue

Security professionals are plagued by an influx of alerts generated by their numerous application security tools, with 75 percent struggling with the complexity of managing multiple tools, according to Cycode’s report. This is causing alert fatigue, which can significantly impact and delay responses to critical alerts. A sizable 76 percent of the security professionals surveyed said that managing all alerts is challenging, with 81 percent stating that developer teams are experiencing too much vulnerability noise and alert fatigue.

Seventy-four percent of security professionals surveyed find it challenging to know which vulnerabilities to fix first, while 83 percent are not always able to scale the process of getting vulnerabilities to the right developers at the right time. What’s more, 80 percent of respondents whose developer teams are experiencing too much noise and alert fatigue also think that their developer teams aren’t remediating all vulnerabilities as a result.

Major disconnect between security and development teams

The data also uncovered a major disconnect between security and development teams. Eighty-eight percent of respondents said the responsibility for the security of applications within their organization is spread across multiple groups, each with their own tools. As a result, 77 percent find understanding who “owns” security to be a challenge. Almost all those surveyed (90 percent) said the relationship between security and developers needs to improve.

“Much of the Cycode report findings align with what we’re seeing in the market, starting with the criticality of software supply chain security,” commented Katie Norton, senior research analyst at IDC. “Our 2023 DevSecOps Adoption, Techniques and Tools Survey identified a vulnerable software supply chain as a top application security gap. Our IDC research also found that companies struggle with developer and security misalignment and have prioritized fostering coordination.”