Author: Sonja Schweigert
Understanding SBOMs: How to Automate, Generate and Manage SBOMs
Understanding SBOMs: An Introduction to Modern Development
2024 Software Supply Chain Security Report
2024 Trends in Software Supply Chain Security
Anchore Survey 2024: Only 1 in 5 organizations have full visibility of open source
The Anchore 2024 Software Supply Chain Security Report is now available. This report provides a unique set of insights into the experiences and practices of over 100 organizations that are the targets of software supply chain attacks.
Survey Highlights
The survey shows that amid growing software supply chain risks:
- The intensity of software supply chain attacks is increasing.
- 200% increase in the priority of software supply chain security.
- Only 1 in 5 have full visibility of open source.
- Third-party software joins open source as a top security challenge.
- Organizations must comply with an average of 4.9 standards.
- 78% plan to increase SBOM usage.
- Respondents worry about AI’s impact on software supply chain security.
The intensity of software supply chain attacks is increasing.
The survey shows that the intensity of software supply chain attacks is increasing, with 21% of successful supply chain attacks having a significant impact, more than doubling from 10% in 2022.
200% increase in the priority of software supply chain security.
As a result of increased attacks, organizations are increasing their focus on software supply chain security, with a 200% increase in organizations making it a top priority.
Only 1 in 5 have full visibility of open source.
Amid growing software supply chain risks, only 21% of respondents are very confident that they have complete visibility into all the dependencies of the applications their organization builds. Without this critical foundation, organizations are unaware of vulnerabilities that leave them open to supply chain attacks.
Third-party software joins open source as a top security challenge.
Organizations are looking to secure all elements of their software supply chain, including open source software and 3rd party libraries. While the security of open source software continues to be identified as a significant challenge, in this year’s report, 46% of respondents chose the security of 3rd party software as a significant challenge.
Organizations must comply with an average of 4.9 different standards.
Compliance is a significant driver in supply chain security. As software supply chain risks grow, governments and industry groups are responding with new guidelines and regulations. Respondents reported the need to comply with an average of almost five separate standards per organization. Many must comply with new regulatory requirements including the CISA Directive of Known Exploited Vulnerabilities, the Secure Software Development Framework (SSDF), and the EU Cyber Resilience Act.
78% plan to increase SBOM usage.
The software bill-of-materials (SBOM) is now a critical component of software supply chain security. An SBOM provides visibility into software ingredients and is a foundation for understanding software vulnerabilities and risks. While just under half of respondents currently leverage SBOMs, a large majority plan to increase SBOM use over the next 18 months.
Respondents worry about AI’s impact on software supply chain security.
A large majority of respondents are concerned about AI’s impact on software supply chain security, and as many as a third are very concerned. The highest concerns are with code tested with AI and code generated with AI or with Copilot tools.
Let’s design an action plan
Join on December 10, 2024 for a live discussion with VP of Security Josh Bressers on the latest trends. Hear practical steps for building a more resilient software supply chain. Register Now.
To minimize risk, avoid reputational damage, and protect downstream users and customers, software supply chain security must become a new practice for every organization that uses or builds software. SBOMs are a critical foundation of this new practice, providing visibility into the dependencies and risks of the software you use.
Here are seven steps to take your software supply chain security to the next level:
- Assess your software supply chain maturity against best practices.
- Identify key challenges and create a plan to make tangible improvements over the coming months.
- Develop a methodology to document and assess the impact of supply chain attacks on your organization, along with improvements to be made.
- Create a plan to generate, manage, and share SBOMs as a key pillar of your supply chain security initiative. Learn more with the Expert Guide on SBOMs in Cybersecurity and 6 Ways to Prevent SBOM sprawl.
- Delve into existing and emerging compliance requirements and create a plan to automate compliance checks. Learn how to meet compliance standards like NIST, SSDF, and FedRAMP.
- Identify gaps in tooling and create plans to address the gaps. See how Anchore can help. Try open source tools like Syft for SBOM generation and Grype for vulnerability scanning as a good way to get started.
- Create an organizational structure and define responsibilities to address software supply chain security and risk.
Shift Security Left with Anchore Enterprise
In this guide we present a battle-tested, shift- left developer workflow with the help of Anchore Enterprise. The workflow infrastructure will include GitLab as the continuous integration (CI) pipeline, Anchore Enterprise as the vulnerability scanner and Jira as the remediation tracking solution.
Introducing the Anchore Data Service
Expert Series: Solving Real-World Challenges in FedRAMP Compliance
Accelerate FedRAMP Compliance on Amazon EKS with Anchore
Automated vulnerability management & transparent security saves 75% time
Adopting the DoD Software Factory Model: Insights & How Tos
Carahsoft: Automated policy enforcement for CMMC with Anchore
75% time savings with vulnerability detection by Anchore
High volume image scanning & vulnerability management for the Iron Bank
Easy Compliance is Continuous Compliance
DevSecOps – Editorial Roundtable
How to Secure Your Kubernetes Software Supply Chain at Scale
SBOM & Vulnerability Scanning with Anchore and Palette
Reduce Risk for Software Supply Chain Attacks: Best Practices for Container Security
Learn about 5 key strategies for enhancing container security, one of the main attack surfaces in dynamic software development practices.
VIPERR Workshop
The Actionable Framework for Software Supply Chain Security |
Carahsoft DevSecOps Conference 2024
Upstream – a Tidelift expedition
Adapting to the new normal at NVD with Anchore Vulnerability Feed
SSDF Attestation 101: A Practical Guide for Software Producers
This ebook sheds light on the recently increased security requirements by the US government and helps companies understand the 4 main requirements for SSDF Attestation.