The Anchore 2024 Software Supply Chain Security Report is now available. This report provides a unique set of insights into the experiences and practices of over 100 organizations that are the targets of software supply chain attacks.

Survey Highlights

The survey shows that amid growing software supply chain risks:

  • The intensity of software supply chain attacks is increasing.

  • 200% increase in the priority of software supply chain security.

  • Only 1 in 5 have full visibility of open source.

  • Third-party software joins open source as a top security challenge.

  • Organizations must comply with an average of 4.9 standards. 

  • 78% plan to increase SBOM usage.

  • Respondents worry about AI's impact on software supply chain security.

Download Full Report

The intensity of software supply chain attacks is increasing.

The survey shows that the intensity of software supply chain attacks is increasing, with 21% of successful supply chain attacks having a significant impact, more than doubling from 10% in 2022. 

200% increase in the priority of software supply chain security.

As a result of increased attacks, organizations are increasing their focus on software supply chain security, with a 200% increase in organizations making it a top priority. 

Only 1 in 5 have full visibility of open source.

Amid growing software supply chain risks, only 21% of respondents are very confident that they have complete visibility into all the dependencies of the applications their organization builds. Without this critical foundation, organizations are unaware of vulnerabilities that leave them open to supply chain attacks.

Third-party software joins open source as a top security challenge.

Organizations are looking to secure all elements of their software supply chain, including open source software and 3rd party libraries. While the security of open source software continues to be identified as a significant challenge, in this year’s report, 46% of respondents chose the security of 3rd party software as a significant challenge.

Organizations must comply with an average of 4.9 different standards.

Compliance is a significant driver in supply chain security. As software supply chain risks grow, governments and industry groups are responding with new guidelines and regulations. Respondents reported the need to comply with an average of almost five separate standards per organization.  Many must comply with new regulatory requirements including the CISA Directive of Known Exploited Vulnerabilities, the Secure Software Development Framework (SSDF), and the EU Cyber Resilience Act.

78% plan to increase SBOM usage.

The software bill-of-materials (SBOM) is now a critical component of software supply chain security. An SBOM provides visibility into software ingredients and is a foundation for understanding software vulnerabilities and risks. While just under half of respondents currently leverage SBOMs, a large majority plan to increase SBOM use over the next 18 months.

Respondents worry about AI's impact on software supply chain security.

A large majority of respondents are concerned about AI's impact on software supply chain security, and as many as a third are very concerned. The highest concerns are with code tested with AI and code generated with AI or with Copilot tools. 

Let’s design an action plan

Join on December 10, 2024 for a live discussion with VP of Security Josh Bressers on the latest trends. Hear practical steps for building a more resilient software supply chain. Register Now.

To minimize risk, avoid reputational damage, and protect downstream users and customers, software supply chain security must become a new practice for every organization that uses or builds software. SBOMs are a critical foundation of this new practice, providing visibility into the dependencies and risks of the software you use.  

Here are seven steps to take your software supply chain security to the next level:

  1. Assess your software supply chain maturity against best practices

  2. Identify key challenges and create a plan to make tangible improvements over the coming months.

  3. Develop a methodology to document and assess the impact of supply chain attacks on your organization, along with improvements to be made.

  4. Create a plan to generate, manage, and share SBOMs as a key pillar of your supply chain security initiative. Learn more with the Expert Guide on SBOMs in Cybersecurity and 6 Ways to Prevent SBOM sprawl

  5. Delve into existing and emerging compliance requirements and create a plan to automate compliance checks. Learn how to meet compliance standards like NIST, SSDF, and FedRAMP.

  6. Identify gaps in tooling and create plans to address the gaps.  See how Anchore can help.  Try open source tools like Syft for SBOM generation and Grype for vulnerability scanning as a good way to get started.

  7. Create an organizational structure and define responsibilities to address software supply chain security and risk.

Download Full Report