The challenge of building and maintaining a secure software supply chain continues to vex enterprise IT leaders. We recently surveyed IT, security, and development leaders in the Anchore 2021 Software Supply Chain Security Report to get some insights into these challenges they and their teams face daily.

Here’s a preview of our survey results:

Highlights from the Survey

Container usage is on the rise as these highlights from the survey show:

  • 65% of the respondents replied they are at intermediate or advanced levels of container maturity
  • 84% plan to increase container use and 29% will increase container use significantly. Respondents use containers for both internal applications and software products they sell.
  • 38% of advanced container users see containerized apps as a higher supply chain risk versus 16% of beginner container users

1. Open Source is the Top Container Security Challenge 

Developers incorporate a significant amount of open source software (OSS) in the containerized applications they build. As a result, 23% of respondents rank securing OSS containers as the number one challenge. In a tie for second place (19%) is understanding the security of code that an organization writes themselves and understanding the full software bill-of-materials (SBOM).  SBOMs are a critical part of President Biden's Executive Order because they are the foundation for many security and compliance practices.

Open Source is the Top Container Security Challenge

2. Software Supply Chain Attacks Cut Deep

With over 18,000 organizations affected just by the SolarWinds attack, a software supply chain attack has affected a significant majority (64%) of respondents within the last twelve months. Over a third of the respondents report that the impact of a software supply chain on their organizations was moderate or significant.

Software Supply Chain Attacks Cut Deep

3. Containers and Software Supply Chain Risk

We saw an interesting statistic in the survey with 38% of advanced container users seeing containerized apps as a higher supply chain risk versus just 16% of beginner container users. 

These stats paint an intriguing picture of container adoption that’s entering middle age. When you look at the rise of Docker containers since 2013 leading into the current generation of cloud-native development. Long-time container users recognize the security risks of containers inside the supply chain. A new generation of developers adopting containers is starting on their own learning journey.

Software Supply Chain Attacks Cut Deep

4. OSS, SBOM, and Container Security Rank as Challenges

Open source software (OSS) ranks as a top container security challenge according to 23% of the survey respondents. Meanwhile, the software bill of materials (SBOM) is a top challenge for 19% of the respondents.

Another interesting insight from the survey is that some enterprises still underestimate OSS as 26% of components and code where some industry benchmarks such as the Synopsys 2020 Open Source Security and Risk Analysis Report point to OSS comprising 70% or more of components and code in today’s applications.

Bar chart showing comparison of top container security challenges.

5. The Truth about False Positives

We hear a lot about container vulnerability scanning challenges and the damage that false positives can do to a security team’s credibility. Survey respondents laid out their top three challenges:

  • Identifying vulnerabilities (86%) 
  • Receiving too many false positives (77%)
  • Getting developers to remediate issues (77%)

On average, survey respondents estimate that 44% of vulnerabilities they find are false positives.

 

Do you want more insights to help build and maintain a secure software supply chain? Download the Anchore 2021 Software Supply Chain Security Report!