Saturday, November 23, 2024

Research emphasizes effective practices for a secure software supply chain

Suse’s latest report on Securing the cloud reveals that almost every IT decision-maker surveyed is worried about the security risks related to their software supply chain. Based on a survey of 820 IT professionals, the 2024 edition of the report shows that 94% of IT decision-makers plan to review their software supply chain to enhance security.

Nearly half (46%) of IT decision-makers are considering certifying processes and tools used to develop software as a key step to reduce the risk of supply chain attacks. The report states that internal auditing of software is seen as the most important measure to mitigate the impact of supply chain attacks.

Some IT decision-makers anticipate that government-recognized security certifications related to the supply chain (25%) will become more important in the next year. Source-code auditability (14%), build quality (15%), and software bill of materials depth, quality, and security (24%) are also expected to be prioritized in the coming years.

The report surveyed IT decision-makers in the US, Germany, UK, France, and the Netherlands. Differences were observed in opinions among respondents from various regions, with varying levels of importance placed on measures to enhance software supply chain security.

The survey indicated that responses to supply chain risks varied based on respondents’ roles in the business. While software and network engineers, technical architects, or developers are more likely to believe that source-code auditability goals will be re-evaluated, they are less inclined to think the same about SBOM depth, quality, and security goals.

To address the risks of supply chain attacks, the most popular measures identified by IT decision-makers include certifying processes and tools used to build software, leveraging software from reputable providers, and conducting in-house software audits. The importance of certifying processes and tools is higher in the US compared to Europe, while in-house auditing of software is more popular in Germany than in the UK and the Netherlands.