Anchore 2021 Software Supply Chain Security Report

The first report of executive insights on software supply chain security practices at large enterprises

sscsr-chart-header

This survey contains responses from 425 IT, Security, and DevOps leaders at large enterprises. Download the full report to learn more.

You can share any text, chart, or data in the report as long as you provide attribution to Anchore 2021 Software Supply Chain Security Report per the Creative Commons Attribution 4.0 license.

1

64% of Organizations Surveyed Have Been Impacted by Supply Chain Attacks

sscsr-chart-01

With over 18,000 organizations affected just by the SolarWinds attack, a significant majority (64%) of respondents have been impacted by a software supply chain attack within the last 12 months. Over a third report that the impact on their organizations was moderate or significant.

2

Enterprises are Focused on Securing the Software Supply Chain

sscsr-chart-02

Against a backdrop of recent high-profile software supply chain attacks, 46 percent of respondents indicated that they have a significant focus on securing the software supply chain while an additional 14 percent have prioritized it as a top focus. Very few (3%) indicate that it is not a priority at all.

3

Tech-Focused Enterprises are Most Mature Container Users

sscsr-chart-03

Unsurprisingly, technology-focused industries such as cloud service providers and software companies had the highest levels of container maturity. However, even traditional industries such as retail, manufacturing, healthcare, and financial services had significant percentages of respondents at intermediate or advanced levels of container adoption.

4

Advanced Container Users See Higher Risks in Containers

sscsr-chart-04

Perceived risk of containers varies by the container maturity of respondents. Importantly, 38 percent of advanced users see higher risks from containers vs only 16 percent of the least mature users. This likely arises from the fact that advanced users have a deeper understanding of the complex dependency chains that are common with containerized applications. They also better understand the need to adapt security processes and tools to adapt to unique container challenges.

5

Open Source and Creating SBOMs are Top Challenges for Container Users

sscsr-chart-05

Developers incorporate a significant amount of open source software (OSS) in the containerized applications they build. As a result, the security of OSS containers is ranked as the number one challenge by 23 percent of respondents. Tied for second place (19%) is understanding security of code that an organization writes themselves and understanding the full software bill-of-materials (SBOM). SBOMs are a critical part of President Biden's Executive Order because they are the foundation for many security and compliance practices.

6

Enterprises Use Five Different Container Platforms

Container Platforms Used

Respondents used a median of 5 container platforms. ”Standalone” Kubernetes (that are not part of a PaaS service) is used most often by 71 percent of respondents. These instances may be run on-premises, through a hosting provider, or on a cloud provider’s infrastructure. The second most used container platform is Amazon ECS (56%) which is a platform-as-a-service (PaaS) offering. Tied for third place (53%) are Amazon EKS, Azure Kubernetes Services, and Red Hat OpenShift.

Download the Full Report

Access dozens of charts highlighting the latest enterprise trends in securing the software supply chain with a special focus on cloud-native applications.