Anchore 2022 Software Supply Chain Security Report

Widespread attacks including exploits of the recent Log4Shell vulnerability have mobilized organizations to understand and reduce software supply chain security risk by adopting best practices. In the last 12 months, more than 70 percent of survey respondents in the technology sectors were impacted by a software supply chain attack, with 50 percent of software companies reporting the attacks as having a significant impact or moderate impact. More than half of companies in non-technology industries were affected.

Given the recent high-profile software supply chain attacks, it’s not surprising that more than half of respondents (54 percent) report that securing their software supply chains is a top or significant focus, while an additional 29 percent say that it is somewhat of a focus.

Unsurprisingly, technology-focused industries such as internet and software companies have the highest levels of container maturity. However, even traditional industries such as retail, financial services, manufacturing, and healthcare show significant percentages of respondents at intermediate levels of container adoption.

Respondents used a median of 5 container platforms. ”Standalone” Kubernetes based on the open source package is used most often by 75 percent of respondents. These environments may be run on-premises, through a hosting provider, or on a cloud provider’s infrastructure. The second most used container platform is Azure Kubernetes Service (AKS) with 53 percent, and Red Hat OpenShift is third with 50 percent. The top container platforms are heavily used in both production and development environments.

Developers incorporate a significant amount of open source software (OSS) in the containerized applications they build. As a result, the security of OSS containers is the top priority for 45 percent of respondents. In second place (44 percent) is understanding the security of code that organizations write themselves, with managing the security of third-party containers coming in third (41 percent).

The software bill-of-materials (SBOM) is a critical part of President Biden’s Executive Order because it is the foundation for many security and compliance best practices. The container maturity of an organization has a direct correlation with its plans to adopt SBOMs. Organizations across all levels of container maturity plan to increase their SBOM use, with 82 percent of advanced users citing plans to increase their use of SBOMs.