Chainguard, the software supply chain security company, has released the results of its inaugural report on the perspectives of CISOs and developers when it comes to tackling software supply chain security within their organization.
The 2023 CISO & Developer Trends in Software Supply Chain Security Report, conducted by The Harris Poll, found a majority of both developers and CISOs view software supply chain security as a top priority in their roles (70% and 52% respectively), but there is a clear disconnect and even some distrust between CISOs and developers related to how security-conscious each department is within the organization, who is responsible for preventing and mitigating security issues, how well CISOs understand developers’ day-to-day tools, and how well developers understand the risk associated with aspects of their job and the tools they use.
“Finding alignment between developers and security leaders on software supply chain security is a difficult challenge for even the most well-resourced and staffed organizations,” said Kim Lewandowski, co-founder and Chief Product Officer at Chainguard. “The findings in the report reflect the tension in the security landscape, as organizations are re-thinking how to maintain developer velocity and the advantages of open source technology, while closing the gap on a new class of vulnerabilities that software supply chains have accrued.”
Key findings from the report include:
- How well are developers approaching security? Depends who you ask. 72% of software developers say they are very security-conscious in their roles while only 50% of CISOs rate software developers as very security-conscious.
- Developers report security teams don’t understand a crucial security surface area: container images. Only 43% of developers believe that CISOs are “very familiar” with how container images fit into their work, which is low when compared to other aspects of how developers perceive their security team to understand their work: open-source software libraries and projects (61%), source code repositories and source code management systems (60%), and software build tools (59%).
- Despite disagreements on how each team views the other’s security prowess or understanding of tooling, software supply chain security is a top priority for developers and security teams alike. The report found that 92% of developers say software supply chain security is at least very important to their day-to-day work and development processes, with 39% marking it as absolutely essential. Ninety-three percent of CISOs noted effective software security as a critical component of their organizational maturity and threat / risk mitigation strategy, and 96% say effective software security practices are important to meeting government or regulatory requirements.
- A concerning percentage of developers and CISOs report vulnerability scanning false positive fatigue. The report found that 36% of CISOs and 34% of developers report that an overwhelming number of scanner false positive vulnerability alerts are among the biggest obstacles an organization faces in ensuring software supply chain security. Both groups also cite consumption of vulnerable software and a lack of cohesion between CISOs and developers as main obstacles to software supply chain security.
- Collaboration and communication between CISOs and developers is lacking, but there is strong alignment on desired business outcomes. CISOs (69%) and developers (64%) agree that lack of communication and collaboration between developers and security teams is a problem. Despite the tension present, both teams agree that it is absolutely essential that best practices and tooling in software security result in certain business outcomes, including customer retention (43% and 40%, respectively), meeting or satisfying procurement contract obligations (36% and 32%), fewer breaches or compromises (34% each), and developer / engineer productivity (32% and 34%).
Balancing security priorities and developer productivity creates conflict
Developers have already been wrestling with the natural tension between “build fast and break things” and the shift-left security movement. At the same time, CISOs are under immense pressure to maintain their organization’s security and compliance posture amid rising threats to the supply chain.
According to the report, nearly 8 in 10 CISOs (77%) and more than two-thirds of developers (68%) agree that the need to prioritize security causes tension between their teams. The report found that developers don’t want their day-to-day productivity to be affected by security tools or requirements, with 43% strongly agreeing that software supply chain security practices shouldn’t make it more difficult for them to get their work done.
Tooling is also contributing to the tension, with 32% of developers strongly agreeing that the work/tools their security team requires them to use interferes with their productivity and innovation.
The five year forecast on software supply chain security
While the industry has closed some gaps in the old world of software consumption, the new modern reality today is faced with closing even more, including an explosion of open source software, constant upgrades and patches and new classes of exploits that target software artifacts, container images and build systems. Frameworks for software supply chain security–like Supply-chain Levels for Software Artifacts (SLSA) and the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF)–have rapidly matured and given security teams methods for how they approach policies and oversight, while giving developers more prescriptive best practices. According to the report, in alignment with the importance already placed on software supply chain security by developers and CISOs, most say that their organizations already have some tools in place to address software supply chain security. These include the adoption of Software Bill of Materials (SBOMs) (40%) and nearly half are implementing software supply chain security frameworks like SLSA (47%) and SSDF (47%).
In addition to the existing adoption of software supply chain security tooling and frameworks, CISOs and developers expect changes to come in the next five years for software supply chain security at their organizations. The majority believe that prioritization of software supply chain security will increase over the next five years (85% among developers, 74% among CISOs), with almost one-third of developers saying that this will significantly increase (32% and 22% among security leaders). CISOs have a slightly more tempered approach, with 23% anticipating their company’s approach to remain the same (vs. 15% among developers). This slightly tempered outlook on prioritization by security decision-makers could be due to the fact that they themselves are more involved in and having more visibility around long-term security strategy decisions.
The report surveyed 520 security decision-makers (n=268) and developers (n=552) on how the different roles view overall responsibilities and expectations for software supply chain security, the importance of software supply chain security, and the pain points and successes in each team’s approach to software supply chain security.