Despite advancements in integrating development, security, and operations (DevSecOps) practices, many organizations still face challenges in fully securing their software supply chains. A recent global survey conducted by Atomik Research for JFrog explored these challenges in depth, revealing critical insights into the ongoing vulnerabilities and the path forward for improved security measures within software development. With a broad participant base spanning application developers, cybersecurity professionals, and IT operations teams, the survey highlighted significant areas needing attention and improvement.
Ongoing Security Concerns
Allowance of Direct Package Downloads
One of the alarming findings from the survey is that 71% of organizations permit developers to download packages directly from the internet. This practice introduces significant security risks, as it opens the door for potential malicious code to infiltrate the development environment. By their nature, these downloaded packages may contain vulnerabilities that, if exploited, can compromise software integrity and create backdoors for hackers.
Moreover, less than half of the surveyed organizations reported performing comprehensive scans at both the source code and binary levels. This gap in the scanning process leaves a substantial portion of software unchecked for vulnerabilities, contributing to the overall risk within the supply chain. Furthermore, 40% of participants admitted to lacking full visibility into the origins of the software running in their production environments, signaling a critical blind spot that can undermine security efforts.
Tool Abundance and Effectiveness
The survey also reveals that an overwhelming 73% of organizations utilize seven or more security tools to manage vulnerabilities, with nearly half employing ten or more. While the abundance of tools indicates a proactive stance towards security, it also brings into question the effectiveness and integration of these tools within development workflows. The high incidence of false positives reported by these tools adds to the complexity and can lead to alert fatigue among developers and security teams.
Security researchers disclosed more than 33,000 critical vulnerabilities in the current year alone. However, research conducted by JFrog suggests that only 12% of these high-profile Common Vulnerabilities and Exposures (CVEs) actually warranted their “critical” status based on actual exploitability. An in-depth analysis revealed that 63 out of 183 notable CVEs were never exploitable within the scanned applications. This discrepancy underscores the need for better prioritization and classification of vulnerabilities to ensure that resources are allocated effectively to address genuine threats.
Increasing Complexity in Software Supply Chains
Integration of New Packages and Repositories
The complexity of managing software supply chains continues to escalate as organizations integrate an average of 458 new packages each year. These packages, sourced from various programming languages and public repositories, introduce a range of potential vulnerabilities that must be managed. Increasingly, organizations rely on repositories such as Docker Hub and Hugging Face for invoking AI models, which further complicates the supply chain. The growing reliance on public repositories necessitates more robust API security measures to protect against unauthorized access and data breaches.
JFrog’s findings of over 25,000 exposed secrets in public registries highlight a critical area of concern. These exposed secrets, such as API keys and passwords, can be exploited by malicious actors to gain unauthorized access to systems and sensitive data. Addressing the issue of exposed secrets in public registries requires a concerted effort to implement better security practices and tools that can detect and mitigate such vulnerabilities effectively.
Collaboration and Training Imperatives
Paul Davis, JFrog’s field CTO, emphasizes the importance of close collaboration between cybersecurity teams and developers to improve overall security posture. Training developers to recognize and address security issues in their code can lead to a more security-aware development culture. This knowledge transfer across teams can reduce the incidence of vulnerabilities and result in more secure software products.
Given the frequency of false positives from security alerts, simply creating exhaustive lists of vulnerabilities for developers to address is insufficient. Organizations need to focus on implementing DevSecOps practices in a manner that integrates seamlessly with development workflows without overburdening teams. This requires a balanced approach that considers the impact on productivity while ensuring that security measures are effective and trusted by development teams.
Path Forward for Enhanced Security
Need for Improved Collaboration
The survey highlights the ongoing need for enhanced collaboration between cybersecurity and development teams. By fostering a culture of shared responsibility and mutual understanding, organizations can create an environment where security is an integral part of the development process. Developers should receive continuous training on the latest security practices and trends to stay ahead of potential threats. Additionally, cybersecurity teams should work closely with developers to understand their workflows and provide tools and resources that integrate smoothly into their processes.
Prioritization and Management of Vulnerabilities
Despite progress in integrating development, security, and operations (DevSecOps) practices, many organizations still struggle to fully secure their software supply chains. A recent global survey conducted by Atomik Research for JFrog delved deeply into these challenges, uncovering crucial insights into the existing vulnerabilities and offering a roadmap for enhanced security measures in software development. The survey gathered responses from a diverse group, including application developers, cybersecurity experts, and IT operations teams. This broad base of participants revealed key areas that require significant attention and improvement to bolster security within the software development lifecycle. Additionally, the findings underscore the necessity for continued emphasis on DevSecOps integration to mitigate risks and protect against potential threats effectively. Overall, the study highlights the persistent challenges and the critical need for robust security frameworks in the ever-evolving landscape of software development.