According to a recent report by Data Theorem, 91% of organizations experienced a software supply chain attack over the last year. The report is built on a survey of more than 350 respondents from private- and public-sector organizations in North America (US and Canada) across cybersecurity professionals (~39%), application developers (~32%) and IT professionals (29%) responsible for evaluating, purchasing and utilizing developer-focused security products.
The most common security incidents over this period were:
- Exploit (41%): zero-day exploit on vulnerabilities within third-party code.
- Exploit (40%): misconfigured cloud service exploits.
- Exploit (40%): vulnerability exploits in open-source software and container images.
- Secrets (37%): secrets/token/passwords stolen from source code repositories.
- Data breach (35%): API data breaches in third-party software and code.
In a related finding, study results also revealed that 88% of organizations feel it's critical or important to have accurate inventory of their third-party APIs and cloud services as it relates to software supply chain security. This is followed by 86% of organizations stating it's critical or important to know the composition/inventory of application code in use (e.g., OSS, third-party or custom), where code is stored and who has access to code components connected to their code.
When asked about top priority investments in software supply chain security over the next 12 to 18 months, the majority (44%) see scanning open source code components and third-party libraries for vulnerabilities as the top priority, followed by discovering and inspecting APIs in source code (39%) and creating an SBOM via composition analysis (38%); while more than a third of organizations see investing in applying runtime API security controls as a top priority.
Read the full report here.