WESTMINSTER, Colo. — Coalfire released its first annual Securealities Software Supply Chain Risk report. The study reveals sharp budget increases; a dramatic rise in executive-level awareness; and growing enterprise demand for more testing, training, and process improvements to better protect digital assets.
The majority of C-level respondents are taking action to address new threats and vulnerabilities across an expanding attack surface and are dedicated to managing software supply chain risk along the entire software development life cycle (SDLC).
“With this first annual Software Supply Chain Risk Report, our goal is to reveal how application security is adapting to industry disruption and adopting new technologies to secure the digital supply chain,” said Coalfire CEO Tom McAndrew. “The data tells us that budgets and best practices are now top of mind for executive leadership and security teams, and there’s no time to waste in achieving parity in today’s competitive cloud environments.”
Coalfire commissioned CyberRisk Alliance to conduct a survey of 300 respondents from both software buying and software producing companies. The goals were to capture the impact of highly public cyber events, President Joe Biden’s Executive Order (EO) on cybersecurity, and procurement delays, as well as to discover what actions companies are taking to address these mission critical challenges.
The report summarizes the gravity of software supply chain risk and provides best practices for software buyers and sellers to effectively mitigate threats.
Key findings:
- Software supply chain risk is now mainstream. More than half (52%) of respondents are “very” or “extremely” concerned about software supply chain risks.
- More than 50% of boards of directors with software buying companies are raising concerns, which means that responsibility for software supply chain risk is no longer confined to technical teams.
- Organizations aren’t standing on the sidelines — they are taking decisive action to combat supply chain vulnerability.
- Among software buyers, nearly 60% have increased testing on third-party applications, and 50% are purchasing new systems or new tooling.
- Two-thirds have implemented additional staff training budgets to help manage the deluge of application vulnerabilities.
- Given the Software Bill of Materials (SBOM) requirements within the president’s EO, 54% of organizations are refocusing on the SDLC.
- Corporate leaders are planning to invest heavily in software supply chain risk management, with over one-third likely to allocate at least 10% of their application security budget to supply chain-specific processes.
“With 71% of respondents reporting that DevOps is now leading digital supply chain decision-making, we’ve clearly reached a turning point in the evolution of security management,” said Coalfire’s Vice President of Product Strategy Dan Cornell. “It’s great news for software buyers as this shift will ultimately create stronger applications with fewer vulnerabilities.”
“Strength in applications is crucial to building and maintaining trust between software developers and software buyers or operators,” said Joshua Corman, former chief strategist of the CISA COVID Task Force, founder of I Am The Calvary, and author of the report. “The trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is — and to the consequences we will incur if that trust is misplaced.”