1、February 2024Can I share data from this report?1.License GrantThis report is licensed under the Creative Commons Attribution-NoDerivatives Licence 4.0(International).Put simply,subject to the terms and conditions of this license,you are free to:Share You can reproduce the report or incorporate parts
2、 of the report into one or more documents or publications,for commercial and non-commercial purposes.Under the following conditions:Attribution You must give appropriate credit to SlashDataTM and to Red Hat as sponsors of this report,and indicate if changes were made.In that case,you may do so in an
3、y reasonable manner,but not in any way that suggests that SlashDataTM endorses you or your use.NoDerivatives you cannot remix or transform the content of the report.You may not distribute modified content.2.Limitation of Liability SlashDataTM,believes the statements contained in this publication to
4、be based upon information that we consider reliable,but we do not represent that it is accurate or complete and it should not be relied upon as such.Opinions expressed are current opinions as of the date appearing in this publication only and the information,including the opinions contained herein,a
5、re subject to change without notice.Use of this publication by any third party for whatever purpose should not and does not absolve such third party from using due diligence in verifying the publications contents.SlashDataTM disclaims all implied warranties,including,without limitation,warranties of
6、 merchantability or fitness for a particular purpose.SlashDataTM,its affiliates,and representatives shall have no liability for any direct,incidental,special,or consequential damages or lost profits,if any,suffered by any third party as a result of decisions made,or not made,or actions taken,or not
7、taken,based on this publication.The analyst of the developer economy|formerly known as VisionMobile SlashData Copyright 2024|Some rights reserved3Konstantinos KorakitisDirector of ResearchKonstantinos heads the Research Product team at SlashData and is responsible for all syndicated research product
8、s and custom research projects.With more than 10 years of experience as an engineer,consultant and manager,he oversees research planning,survey design,data analysis,insights generation and research operations.konstantinosslashdata.coLiam DoddSenior Market Research AnalystLiam is a former experimenta
9、l antimatter physicist,and he obtained a PhD in Physics while working at CERN.He is interested in the changing landscape of cloud development,cybersecurity,and the relationship between technological developments and their impact on society.liam.doddslashdata.co About the authors4Table of contents17I
10、ntroductionSoftware Efficacy534Software IntegrityDelivery Performance2549Process AutomationRemediation Practices4174Overall software supply chain security maturity score Conclusion and next steps59Appendix800101IntroductionMaturity of Software Supply Chain Security Practices 202461.IntroductionCruci
11、al to modern development practices,security covers all stages;from the initial code creation,through to deployment,and ongoing maintenance and management.Security practices within the SSC aim to prevent,detect,and respond to threats,vulnerabilities,and malicious activities in the software delivered.
12、What is Software Supply Chain Security?The software supply chain(SSC)involves the interconnected network of tools,libraries,dependencies,and deployment environments that are involved in delivering software.When discussing SSC security,it refers to the practices,processes,and technologies that develo
13、pers and organizations employ to safeguard the integrity,confidentiality,and availability of software throughout the entire software development lifecycle.Maturity of Software Supply Chain Security Practices 202471.IntroductionThrough this report,commissioned by Red Hat,Inc.and authored by SlashData
14、,we aim to measure the various practices and processes organizations are currently undertaking,and convert that into an SSC security maturity score that indicates the maturity of their processes.High SSC security maturity scores indicate organizations with strong software efficacy and integrity,deli
15、very performance,and process automation,including remediation practices.All of which are crucial to improving risk management and resilience.Maturity in SSC security can be measured by an organizations capability to systematically and proactively manage aspects of security throughout its entire SSC
16、to quickly find and fix security events.Specifically the organizations integration of best practices,ability to adapt to emerging threats,high levels of monitoring,working in combination with the systems and processes to remediate vulnerabilities.Maturity of Software Supply Chain Security Practices
17、202481.IntroductionThe findings of this report are based on data collected from an online survey designed,hosted,and fielded by SlashData on behalf of Red Hat Inc.in Q4 2023.The survey reached more than 800 developers from over 80 countries.High SSC security maturity is associated with greater abili
18、ty to surface vulnerabilities and increased speed in addressing vulnerabilities discovered.Higher maturity is also likely to help manage costs through improved resource utilization and reduced rework,as well as impacting customer satisfaction through increased stability and reliability.This marks ho
19、w crucial SSC security maturity is for modern organizations to ensure they are developing and deploying secure software.Maturity of Software Supply Chain Security Practices 202491.IntroductionExecutive SummaryTo understand the level of SSC security maturity within organizations,we surveyed developer
20、s working throughout the software supply chain with security questions about assurance,transparency,compliance,consistency,and resilience.We questioned developers and their organizations,and calculated a maturity score for their practices for software efficacy and integrity,software delivery perform
21、ance,process automation,and remediation practices.These were then consolidated into a single score indicating their overall SSC security maturity in standing with the market.Maturity of Software Supply Chain Security Practices 2024101.IntroductionAssurance in SSC security is measured by the maturity
22、 of software efficacy practices,for which software remains unchanged over time and does what it was meant to do.This is derived through the use of an open source governance policy for predictable and stable operations with minimal disruptions.49%of developers have policies reflecting low-to-medium l
23、evels of maturity when measuring software assurances in their supply chain,as compared to indicative of opaque processes and a less systematic approach only 8%who have policies considered an elite level of maturity.Many employ security practices as the best endeavor of developers instead of standard
24、izing security-focused golden paths that remove the toil of ensuring compliant code and increase developer confidence.While 51%of developers track open source package trustworthiness at an elite level of maturity,only 11%of developers organizations currently have some form of open source software go
25、vernance policy considered to have an elite level of maturity.Just 14%say their organizations perform open source library scanning at a frequency consistent with elite levels of maturity.While developers personally employ responsible security practices,without institutional support the SSC is still
26、exposed to unnecessary risks.Key insights:Maturity of Software Supply Chain Security Practices 2024111.IntroductionTransparency in SSC security can be seen in the maturity of software integrity practices to ensure consistency and standardization.This is based on a clear and transparent series of gui
27、delines and approaches available throughout code creation,to perform its intended functions without failure or errors.60%of developers have code creation practices belonging to either the elite-or high-maturity groups when measuring transparency in the SSC.But when committing code changes,there are
28、significantly different results.This has an immediate impact on the trustworthiness of artifacts passing through the SSC at the point of code entry(code commit).45%of developers say their IDE and plugin guidelines and policy enforcements are in keeping with low-to-medium maturity groups,where vulner
29、abilities are introduced through unverified or unsecure extensions.While 54%of developers actively undertake vulnerability discovery in continuous integration for elite security practices,just 20%of developers are engaged in elite security practices for code changes each time a pull request is made.
30、With just 16%of developers report their organizations are using elite maturity approaches to communicating security vulnerabilities internally,this is a further organization-level shortcoming.With malicious code being allowed to subvert applications and threaten enterprise security,there is a need f
31、or provenance and attestations of software artifacts to ensure integrity and authenticity continuously across the SSC.As is,just 13%create and validate digital signatures for their artifacts and containers,in keeping with an elite level of maturity.Key insights:Maturity of Software Supply Chain Secu
32、rity Practices 2024121.IntroductionCompliance in SSC security can be measured by the maturity of software delivery performance that meets industry-specific regulatory standards.Security practices and controls in build systems that directly speed up the build process through automation and standardiz
33、ation for faster,more frequent builds in deployments.52%of developers practice software delivery performance in the build stage that is in keeping with elite-or high-maturity groups.Compliance in the SSC is drawn from the use of automated image assessment that verifies vendor-supplied base images,as
34、 opposed to curating their own trusted content.Dependency analytics becomes challenging when trying to ascertain risk profiles,especially when trying to understand the impact radius of any given security threat.While 58%perform scanning of files in their system configuration management at a frequenc
35、y in keeping with the elite-to-high maturity group,to protect from possible poisoned pipeline execution,a large majority(63%)of developers still employ poor base image selection consistent with a medium-maturity practice.57%of developers do not harness information in a software bill of materials(SBO
36、Ms)to verify if pipeline compliance has been met.61%also say they dont know how to store and analyze SBOMs much less know how to generate one.Being security compliant in the SSC to safeguard build systems from malicious code injection does not need to be complicated.Key insights:Maturity of Software
37、 Supply Chain Security Practices 2024131.IntroductionConsistency in SSC security can be measured through the maturity of process automation,in how automated security checks are embedded into both build and deployment pipelines.Specifically,the use of security practices and policies as code that proa
38、ctively mitigate security poses continuous risk in progressive delivery.54%of developers have embraced process automations that are seen in elite-to-high maturity practices to scale security checks in CI/CD pipelines for consistency across the SSC.Driven through dedicated application platform teams
39、that standardize and expedite onboarding for more efficient,security-focused workflows allow organizations to continuously deploy to an auditable,immutable state.While 67%of developers have strong CI/CD security practices that remove repetitive tasks and configuration drift that comes from human int
40、ervention,and 83%of developers are engaged in pipeline security risk mitigation that matches elite-to-high maturity groups,the use of cryptographic tools for the signing of artifacts remains elusive.Only 13%of developers automatically generate and validate digital signatures as part of the continuou
41、s integration process,in keeping with elite-maturity practices.Organizations need help taking steps to start generating an automated chain of trust that validates artifact signatures and attestations,and confirms the expected build process to enforce security policies related to SLSA requirements to
42、 increase their security posture in their CI/CD pipeline.Key insights:Maturity of Software Supply Chain Security Practices 2024141.IntroductionResilience in SSC security can be observed by the maturity of remediation practices employed for consistent,robust service delivery across multiple environme
43、nts.Processes that readily surface and identify vulnerabilities in runtime environments ensure customers and users are not exposed to security issues.Responding quickly without alert storms prevents disruption to business operations and prolonged downtimes.It is here that we see the largest proporti
44、on of respondents receiving a low maturity score,with 44%of developers citing poor remediation practices,in keeping with the low-maturity group.Failure to increase resiliency in their SSC to withstand shocks from cyber attacks is attributed to not having a full understanding and audit of possible vu
45、lnerabilities.53%of developers are already well placed for the tools used for tracking container images and engaging in elite maturity practices,but 45%of these same developers say they surface runtime security issues in real-time and only 15%of developers scan for their container images with high f
46、requency.Threat hunting only works if teams are able to identify and isolate high-vulnerability CVEs(Common Vulnerabilities and Exposures)in their existing images.Just 18%of developers claim that they generate,store,and analyze SBOMs,in keeping with elite-maturity practices but a much smaller number
47、 today,7%of developers,are actually tapping into the information within SBOMs to guide their remediation efforts.Organizations need a better way of proactively directing their efforts by threat severity,without alert fatigue.Key insights:Maturity of Software Supply Chain Security Practices 2024151.I
48、ntroductionWhen aggregating the five SSC security maturity scores above to assess the overall maturity of security practices,just 7%of developers and their organizations can claim elite-level maturity security practices in their SSC.The industry as a whole can be divided into those with either high-
49、maturity(40%)or medium-maturity practices(41%).When asked for a five-star rating,developers with elite-maturity practices placed their organizations most favorably in being able to attain and maintain secure and mature practices,with an ethos of continuous improvement in their SSCs security practice
50、s.However,the same cannot be said of developers in other maturity practices who remain unaware of how exposed their organization may be.As compared to 81%of developers in the high SSC security maturity group,49%of developers in the medium SSC security maturity group rate their organizations in a sim
51、ilarly positive standing of what constitutes good security practices.These developers have overestimated their organizations performance and missed many improvements that can be made to the overall efficiency of their SSC security.As technical leaders seek to implement mature SSC security practices,
52、they should take into consideration that while their developers are repeatedly involved in mature security practices,their organizations still lack overall rigor in security.Key insights:Maturity of Software Supply Chain Security Practices 2024161.IntroductionLarge organizations are likely to have t
53、hese resources and are looking towards dedicated security and DevSecOps teams to help ensure secure practices and mature guidelines are instituted in the organizations SSC.While these organizations benefit from increased resources,this can also create organizational inertia.Developers and their orga
54、nizations should get ahead of these additional layers that introduce cognitive load and overheads.More specifically:a holistic,trusted SSC strategy that will increase their ability to rapidly implement and propagate changes and adapt to industry best practices is needed.Organizations that have score
55、d highly in SSC security maturity are more likely to be aware of how many vulnerabilities are in their SSC and how much risk they and their customers are exposed to.These organizations strong current performance is a factor of having dedicated resources to support disparate teams that are interactin
56、g constantly across complex code bases,with the associated volume and velocity of deployments.0 02 2Software Efficacy182.Software EfficacyMaturity of Software Supply Chain Security Practices 2024For each aspect,the most mature practice a developer or organization is engaged in translates to:Elite(4
57、points),High(3 points),Medium(2 points),Low(1 point),None(0 points).The maximum score for a practitioner is,therefore,20 points.Overall maturity for software efficacy is grouped as follows:Elite(18-20 points)High(13-17 points)Medium(8-12 points)Low(0-7 points)Software efficacy is the first area of S
58、SC security we explore,and measures the degree to which software remains unchanged and consistent in its behavior over time,avoiding unexpected disruptions.Within the context of SSC security,we derive the maturity of developers and their organizations practices from the governance surrounding open s
59、ource software and packages,as well as source code write access.To assess the maturity of software efficacy,we designed a set of survey questions that cover various aspects of this SSC security area,such as open source software governance policies and dependency tracking policies within organization
60、s.Depending on the developers answers to each of these questions,we categorize them as elite,high,medium,or low performers in each of these aspects.The table below summarizes how we measure performance in each of these aspects as well as on software efficacy in general.192.Software EfficacyMaturity
61、of Software Supply Chain Security Practices 2024Aspects of Software EfficacyMaturity clustersEliteHighMediumLowNoneOpen source software governance policyWhat best describes your companys policies and governance for the usage of open source software in your applications?Categorized risk-based control
62、sorStrict adherence to approved libraries/licensesOrganization guidelines enforced in CI/CDorProject-specific assessmentsDeveloper education on licensingOrganization guidelines,but no validationNo guidelines for open source software/libraries useOpen source package trustworthinessHow do you ensure t
63、he trustworthiness of the open source packages you select for your projects?Use vulnerability or dependency management toolsorCheck responsible disclosure policyInvestigate usage in reputable projectsorVerify active communityorReview package maintainersEnsure licensing aligns with projectorGuidance
64、from in-house expertsorConsult external,respected peer-developersorUse registry/package manager informationorAsses repository ratings/download statisticsorAssess release/commit frequencySelect package with most likes/downloads-202.Software EfficacyMaturity of Software Supply Chain Security Practices
65、 2024Aspects of Software EfficacyMaturity clustersEliteHighMediumLowNoneOpen source library scanning frequencyHow often do you scan your open source libraries dependencies for newly detected vulnerabilities?DailyorHourly/continuouslyWeeklyAfter a new build or when project changes in SCMorMonthlyOnly
66、 after industry vulnerability noticesorQuarterlyWe dont perform any vulnerability detection on open source dependenciesDependency tracking practicesWhich of the following practices do you use to keep track of libraries and dependencies in your applications?Automated tools continuously monitor and up
67、date library usageorTrack all used,even indirectly,with a full historyTrack all used,even indirectly,without full historyTrack only those used directly,with a full historyorAd hoc queries can list which projects are runningOnly track those we use directlyWe dont track thisSource code write accessWha
68、t is your organizations approach to source code repositories write access management?Role-based accessTeam-based accessorIntegration with identity management systemsIndividual access controlorAccess requests and approvals process-212.Software EfficacyMaturity of Software Supply Chain Security Practi
69、ces 2024However,we can see that for different parts of software efficacy,there are distinctly different levels of maturity.For determining an open source packages trustworthiness,the majority of developers are engaging in practices associated with elite maturity.Comparing this to open source softwar
70、e governance policy which organizations use,where only 11%of developers organizations currently have policies considered at an elite level of maturity.This disparity underscores a notable distinction:while developers are exceling in implementing elite practices at their level for trustworthiness ass
71、essments,the same level of maturity is less frequently mirrored in the broader organizational context,where strategic decisions and overarching policies guide the use of open source software across projects.Developers may be security-focused and personally employing responsible and secure practices,
72、but without institutional support,the SSC is still exposed to unnecessary risks.Just over half(51%)of developers and/or their teams can be classified as high or elite performers in terms of software efficacy,indicating a considerable level of maturity in that respect.Greater maturity for software ef
73、ficacy leads to consistent,predictable,and stable operations with minimal disruptions.More mature dependency management also leads to faster resolutions of issues.Fewer disruptions,that are resolved quickly,help improve customer satisfaction and higher maturity aims to minimize disruptions and their
74、 impact.222.Software EfficacyMaturity of Software Supply Chain Security Practices 2024Developers maturity for aspects of Software Efficacy maturity%of developers(n=831)23%10%16%8%27%21%15%19%20%37%18%33%34%39%28%11%12%45%43%11%51%14%33%22%8%Open source software governance policyOpen source package t
75、rustworthinessOpen source library scanning frequencyDependency tracking practicesSource code write accessSoftware efficacy maturity(Assurance)Developer maturity for questions impacting assurance maturityNoneLowMediumHighElite232.Software EfficacyMaturity of Software Supply Chain Security Practices 2
76、024While there are developers with low and medium software efficacy maturity who are able to address vulnerabilities in third-party code promptly,they are a much smaller percentage(12%)of that maturity group than for the high-(18%)and elite-maturity(23%)groups.Organizations should aim to set themsel
77、ves up for the highest likelihood of success,and improving their software efficacy maturity is demonstrably an effective method to do this.Increased software efficacy not only aims to minimize vulnerabilities being introduced into the SSC through third-party packages,but also makes teams faster to r
78、espond and address when vulnerabilities are discovered.Comparing how long it takes teams to address vulnerabilities identified in third-party code against the developers software efficacy maturity shows a clear trend supporting this aim.We can see that increased software efficacy maturity is associa
79、ted with both shorter response times and greater knowledge of the time taken to address.More than a third of developers in the low software efficacy maturity group do not know how long it would take for these vulnerabilities to be addressed.This is indicative of processes being opaque to developers,
80、meaning a less systematic approach and less experience with addressing them,leading to more vulnerable software overall.Insights242.Software EfficacyMaturity of Software Supply Chain Security Practices 2024Software Efficacy maturity against time to address vulnerabilities in third-party code23%18%10
81、%12%23%24%18%13%28%34%25%25%15%13%15%12%3%5%3%4%6%5%26%35%EliteHighMediumLowSoftware efficacy maturity against time to address vulnerabilities in third-party code 8 hours8 to 24 hours1 day to 1 week1 week to 1 month1 to 3 monthsMore than 3 monthsNot sure/I dont knowQuestion asked:How long does it ta
82、ke your team to fix vulnerabilities or security issues that you identify in the following stage of your software development lifecycle?:When using open source libraries(e.g.third-party dependencies)%of developers in each maturity performance group(n=722)0 03 3Software Integrity263.Software Integrity
83、Maturity of Software Supply Chain Security Practices 2024For each aspect,the most mature practice a developer or organization is engaged in translates to Elite(4 points),High(3 points),Medium(2 points),Low(1 point),None(0 points).The maximum score for a practitioner is,therefore,28 points.Overall ma
84、turity for software integrity is grouped as follows:Elite(25-28 points)High(18-24 points)Medium(11-17 points)Low(0-10 points)Software integrity refers to the ability of an organizations software to consistently perform its intended functions without failure or errors.This is achieved by a clear and
85、transparent series of guidelines and approaches towards development throughout the code creation process that ensure consistency and standardization.Within the context of SSC security maturity,this draws from an organizations approach to IDE and plugin usage,as well as identifying and communicating
86、vulnerabilities.To assess maturity in software integrity,developers were asked about various aspects of this SSC security area,such as the security practices developers use when changing code and IDE policies within organizations.Depending on the developers answers to each of these questions,we cate
87、gorize them as elite,high,medium,or low performers in each of these aspects.The table below summarizes how we measure performance in each of these aspects as well as in software integrity in general.273.Software IntegrityMaturity of Software Supply Chain Security Practices 2024Aspects of Software In
88、tegrityMaturity clustersEliteHighMediumLowNoneCode change security practicesWhat security practice(s)do you or your team use when changing code?Security test each PR with container image security scanningAutomatic open source and dependency scanning security testsorAutomatic static application secur
89、ity testsorSecurity test each PR for embedded secretsCommits and PRs must be formally reviewed by other team memberorCommits and PRs must be formally reviewed by specified team member orConduct manual code reviews with a focus on security aspects for each PR-We dont use any security practices during
90、 code changesIDE and plugin usage guidelinesHow are the IDEs and plugins used at your organization determined?Use organization-approved IDEs/pluginsSelection locked-downFlexibility in choosing IDEs and pluginsorDevelopers trusted to use secure tools-No formal policy for IDE or plugin useIDE and plug
91、in policy enforcementHow is the policy for IDEs and plugins enforced at your organization?Real-time automated policy enforcementTool selection is completely locked downEndpoint protection validates tool usageorDevelopers trusted to only use approved toolsSurvey developer usage occasionallyWe dont ha
92、ve policies for tool monitoring283.Software IntegrityMaturity of Software Supply Chain Security Practices 2024Aspects of Software IntegrityMaturity clustersEliteHighMediumLowNoneSecurity practices during code creationWhich of the following practices do you or your team follow to ensure security duri
93、ng the code creation process?Software composition analysis(SCA)orCryptographic signaturesStatic application security testing(SAST)orVersion/source controlIncluding metadata in code artifacts-Not sure/I dont knowSecurity vulnerability discoveryHow do you or your team find out about security vulnerabi
94、lities in the code that you write?During CI/build process with a SAST toolorFrom authenticated vulnerability databases or feedsThrough the IDE using an extension for SCAorExternal or security team audit and ticketsPeer code revieworBug bounty programsorSecurity-focused mailing listsThrough news/foru
95、ms/social media-Internal security communication methodsWhich of the following methods are used to communicate internally about software supply chain security issues(e.g.vulnerabilities)?Automated security alertsAutomated notificationsorDedicated communication toolsCollaborative code revieworDocument
96、ation updatesorCentralized Task ManagementRegular meetingsNo formal communication approachesCommunication responsibilityFor each method of internal communication,please indicate who is primarily responsible for each methodDevSecOps teamorSecurity or incident team-Development teamProject managers-293
97、.Software IntegrityMaturity of Software Supply Chain Security Practices 2024Further evidence of this is seen in the fact that only 36%of developers are reporting their organizations IDE or plugin usage policy at elite or high maturity.A further organization-level shortcoming is that only 16%of devel
98、opers report that their organizations are using elite-maturity approaches to communicating security vulnerabilities internally.This repeats the findings in efficacy maturity:developers are more likely to carry out mature security practices at their level,while their organizations policies are less m
99、ature.This area of SSC security maturity is where developers are currently showing the highest levels of maturity with 60%belonging to either the elite-or high-maturity group.On the other hand,9%of developers are showing low maturity,indicating a minority who need to make significant changes to thei
100、r practices around software integrity.However,examining the different aspects that contribute to integrity maturity shows there are large differences between them,and highlights where the industry is currently engaging in less mature practices.When it comes to the security practices developers use d
101、uring code creation,91%of developers are engaging in elite-or high-maturity practices.However,when looking at the systematic security approaches organizations and teams use when committing code changes,we see significantly different results.Only 20%are engaged in elite practices,and a further 30%in
102、high-maturity practices.This is a further example of how developers in their individual role responsibility may engage in secure practices,but once entering into organization-or team-level interactions,the maturity of practices falls off significantly,which leaves the entire SSC vulnerable.303.Softw
103、are IntegrityMaturity of Software Supply Chain Security Practices 2024IDE and plugin policies and standardizations represent one area where more mature practices should be embraced at a greater rate,and can directly benefit organizations.Mature practices here minimize the introduction of vulnerabili
104、ties through unverified or unsecure extensions,as well as security to be maintained by high-quality standards that are enforced proactively.Similarly,organizations are currently showing a lower focus on mature communication methods,meaning that highly mature practices in other aspects of software in
105、tegrity maturity can be undermined by ineffective communication and delays in addressing problems.Higher maturity for software integrity can reduce the number of vulnerabilities that make it to production.This can also help reduce service disruptions.Fewer disruptions help improve customer satisfact
106、ion,and higher maturity aims to minimize disruptions and their impact.All of the aspects that feed into software integrity impact the overall maturity for this area of SSC security maturity,but the result of only 15%of developers achieving an elite-maturity score highlights that leaving any underdev
107、eloped risks is exposing software to vulnerabilities.313.Software IntegrityMaturity of Software Supply Chain Security Practices 2024Developers maturity for aspects of Software Integrity maturity%of developers(n=831)13%16%19%8%25%4%4%25%9%12%44%41%11%29%31%30%9%10%48%31%30%45%20%30%26%43%54%16%15%Cod
108、e change security practicesIDE and plugin usage guidelinesIDE and plugin policy enforcementSecurity practices during code creationSecurity vulnerability discoveryInternal security communicationSoftware integrity maturity(transparency)NoneLowMediumHighElite323.Software IntegrityMaturity of Software S
109、upply Chain Security Practices 2024Compared to software efficacy,we see that for low software integrity maturity,the percentage of those able to address vulnerabilities in less than eight hours is just 7%.While these two maturity measures focus on different areas of the SSC,and measure vulnerability
110、 addressing speed in different vulnerability sources,this highlights how underperformance in different areas of SSC security can have larger impacts than others.While unsecure third-party package practices expose organizations to vulnerabilities,it is possible to envision a range of methods that the
111、se low-maturity organizations can have in place to address the specific vulnerability itself,with relative speed.However,unsecure practices in the code developers have written can be much more difficult to address without the range of mature practices highlighted previously.As such,low software inte
112、grity maturity is likely to have a greater impact on development velocity.Alongside integrity maturity aiming to diminish vulnerabilities introduced into code,which can impact service continuation,high integrity maturity is also associated with quicker response times to vulnerabilities identified in
113、 code created by developers or their teams.22%of developers in the elite software integrity maturity group take less than eight hours to respond to a vulnerability in their code,compared to just 7%of those in the low maturity group.In other words,elite-maturity developers are three times more likely
114、 to address a vulnerability in less than eight hours than those in the low-maturity group.Further,as seen with efficacy maturity,increased integrity maturity is associated with greater ability and knowledge about how long it will take to address issues.Half of the developers in the low integrity-mat
115、urity group do not know how long it would take for these vulnerabilities in their code to be addressed,compared to just 2%of those in the elite maturity group.Organizations and developers focusing on engaging in mature integrity allow vulnerabilities to be addressed quickly and effectively.Insights3
116、33.Software IntegrityMaturity of Software Supply Chain Security Practices 2024Software integrity maturity against time to address vulnerabilities in created code22%13%15%7%25%24%14%13%31%30%28%22%13%15%14%6%7%4%3%3%3%11%24%50%EliteHighMediumLowTransparency maturity against time to address vulnerabil
117、ities in code 8 hours8 to 24 hours1 day to 1 week1 week to 1 month1 to 3 monthsMore than 3 monthsNot sure/I dont knowQuestion asked:How long does it take your team to fix vulnerabilities or security issues that you identify in the following stage of your software development lifecycle?:In code that
118、I or my team are creating/writing%of developers in each maturity performance group(n=723)0 04 4Delivery Performance354.Delivery PerformanceMaturity of Software Supply Chain Security Practices 2024For each aspect,the most mature practice a developer or organization is engaged in translates to:Elite(4
119、 points),High(3 points),Medium(2 points),Low(1 point),None(0 points).The maximum score for a practitioner is,therefore,12 points.Overall maturity for delivery performance is grouped as follows:Elite(11-12 points)High(8-10 points)Medium(5-7 points)Low(0-4 points)Delivery performance identifies the se
120、curity practices that developers are engaged in during the building stage that prevent vulnerabilities and ensure the authenticity of images that allow faster and more frequent builds in deployments.While strong security practices can directly speed up the build process through automation and standa
121、rdization,their strongest impact is on preventing vulnerable builds that require rollbacks and developer time to address issues.To assess delivery performance maturity,we created several questions about various aspects of this SSC security area,such as source-code management vulnerability scanning f
122、requency,and image authentication.Depending on the developers answers to each of these questions,we categorize them as elite,high,medium,or low performers in each of these aspects.The table below summarizes how we measure performance in each of these aspects as well as on delivery performance in gen
123、eral.364.Delivery PerformanceMaturity of Software Supply Chain Security Practices 2024Aspects of delivery performanceMaturity clustersEliteHighMediumLowNoneSCM vulnerability scanning frequencyAfter you or your team commit and/or merge code,how often do you check it in your SCM for security vulnerabi
124、lities?DailyorHourly/continuouslyWeeklyorScanned at pull request or mergeMonthlyOnly scan for vulnerabilities in the IDE or CLIorOn an ad hoc basisNo scanning for vulnerabilitiesBase image selectionAfter you or your team commit and/or merge code,how often do you check it in your SCM for security vul
125、nerabilities?Developers must base their images on custom“golden images built by our platform teamVendor-supplied base imagesorMinimal base imagesorMaintain our own base images within the organizationAny base images from public registriesorOpen source community contribution that meet our requirements
126、-Not sure/I dont knowImage authenticationHow do you verify the authenticity of your images prior to deployment?Sign images when building,then verify the signature before deployingorPerform automated image assessment before deploymentEmploy image scanning tools to verify image authenticityOnly use im
127、ages stored in our private registryorOnly use images stored in our namespace in public registry-We dont verify the authenticity of images when running374.Delivery PerformanceMaturity of Software Supply Chain Security Practices 2024We can also see that developers and their organizations are performin
128、g poorly when it comes to their base image selection.While 22%are engaging in the most elite practice,the majority(63%)are employing medium-maturity practices.This represents a significant divide and contributes strongly in separating those receiving high or elite delivery performance and those with
129、 lower maturities.Developers and organizations looking to improve their SSC security maturity on delivery performance should aim to increase the frequency they scan their SCM for vulnerabilities and standardize more mature base image selection practices.We find that 52%of developers belong to the el
130、ite-or high-delivery performance maturity groups.Worryingly,21%of developers and their organizations are in the low-maturity group.These low-maturity organizations risk undermining their ability to have fast and frequent deployments due to the lack of security and attention paid at this crucial stag
131、e of development.Slow and inconsistent feature releases that may emerge as software rollbacks are undertaken to address vulnerabilities are likely to lead to customer dissatisfaction.Further,organizations risk exposing their customers to vulnerabilities without mature security practices to prevent v
132、ulnerabilities from being packaged and deployed.384.Delivery PerformanceMaturity of Software Supply Chain Security Practices 2024Developers maturity for aspects of Delivery Performance maturity%of developers(n=821)14%16%30%21%12%63%24%27%45%6%41%13%22%54%11%SCM vulnerability scanning frequencyBase i
133、mage selectionImage authenticationProcess automation maturity(consistency)NoneLowMediumHighElite394.Delivery PerformanceMaturity of Software Supply Chain Security Practices 2024Developers and organizations who can address vulnerabilities in their build process faster are able to have more secure bui
134、lds,more frequently.Unlike previous maturity comparisons against the time to address vulnerabilities,the proportion of developers in each maturity group who can address vulnerabilities in less than eight hours is relatively flat(19%for low to 21%for medium and high maturity)until elite maturity wher
135、e it jumps up(26%).This suggests that it is possible to have a process for fast response across vulnerabilities,but focusing on this would miss the wider importance of developers awareness of time to address.Developers being unaware of how long a vulnerability would take to address in their build pr
136、ocess highlights a lack of systematic approaches,well-defined practices,and exposure or experience with how to address vulnerabilities.All of these create huge impediments to consistent and stable deployments and are likely to introduce even greater delays.Further,a lack of well-defined processes cr
137、eates new opportunities for vulnerabilities to be introduced or for vulnerabilities to not be discovered.With the goal of more secure,reliable,and faster deployments,we compare how long it takes developers or their teams to address vulnerabilities during build against their delivery performance matu
138、rity.As seen with other areas of SSC security maturity,increased maturity is associated with both faster response times and a greater ability to provide an estimate.53%of developers in the low maturity group were unable to provide a time to fix,compared to just 4%of those in the elite-maturity group
139、.For those with elite delivery performance maturity,26%of the developers could address vulnerabilities in less than eight hours,compared to 21%for high and medium maturity and 19%for low maturity.Insights404.Delivery PerformanceMaturity of Software Supply Chain Security Practices 2024Delivery perfor
140、mance maturity against time to address vulnerabilities in the build process26%21%21%19%23%26%15%9%30%23%23%16%10%11%7%7%3%4%13%32%53%EliteHighMediumLowDelivery performance maturity against time to address vulnerabilities in the build process 8 hours8 to 24 hours1 day to 1 week1 week to 1 month1 to 3
141、 monthsMore than 3 monthsNot sure/I dont knowQuestion asked:How long does it take your team to fix vulnerabilities or security issues that you identify in the following stage of your software development lifecycle?:At build-time in CI/CD pipelines%of developers in each maturity performance group(n=7
142、05)0 05 5Process Automation425.Process AutomationMaturity of Software Supply Chain Security Practices 2024For each aspect,the most mature practice a developer or organization is engaged in translates to:Elite(4 points),High(3 points),Medium(2 points),Low(1 point),None(0 points).The maximum score for
143、 a practitioner is,therefore,16 points.Overall maturity for process automation is grouped as follows:Elite(14-16 points)High(10-13 points)Medium(6-9 points)Low(0-5 points)Process automation reflects how well organizations have automated aspects of the build and deployment pipelines and,more importan
144、tly,the scale of automated security checks within them.This assesses the security practices included in an organizations CI/CD pipelines,as well as how they mitigate security risks in their automated deployment pipelines.Greater automation here increases the efficacy of these automated processes,red
145、uces human intervention,leads to overall more efficient usage of developer time,and leads to fewer human errors in deployments.The maturity of automation is assessed through questions that ask about various aspects of this SSC security area,such as CI/CD security practices and pipeline ownership.Dep
146、ending on the developers answers to each of these questions,we categorize them as elite,high,medium,or low performers in each of these aspects.The table below summarizes how we measure performance on each of these aspects as well as on software efficacy in general.435.Process AutomationMaturity of S
147、oftware Supply Chain Security Practices 2024Aspects of automationMaturity clustersEliteHighMediumLowNoneCI/CD security practicesWhat security practices do you include in your CI/CD pipelines?Container image security scanning with every PRorDigitally sign build artifacts for authenticityorScan artifa
148、cts in repository for vulnerabilities before deployingorConduct penetration testing orDynamic Application Security Testing(DAST)At least two:Test for embedded secrets with every PRorEnforce license compliance checks for open source componentsorTests during build process to validate artifacts meet se
149、curity standardsorIsolate the build environmentOnly one of the following:Test for embedded secrets with every PRorEnforce license compliance checks for open source componentsorTests during build process to validate artifacts meet security standardsorIsolate the build environment-We dont perform any
150、security testing for PRsPipeline ownershipWho takes ownership of defining and updating the build pipeline(s)for a specific repository in your organization?Dedicated DevOps team creates and maintains all of themDevelopers and DevOps engineers collaborate orAutomated tools manage pipelines;minimal man
151、ual interventionExternal services manage our pipelinesorOwnership is decentralized to each teamDevelopers create and maintain their ownorOwnership varies by projectsNot sure/I dont know445.Process AutomationMaturity of Software Supply Chain Security Practices 2024Aspects of automationMaturity cluste
152、rsEliteHighMediumLowNonePipeline security risk mitigationHow do you mitigate security risks in your automated deployment pipelines?GitOps principles for declarative,secure processesorCanary deployments for secure rollbacksOrchestration tools for secure deploymentsorSecurity-focused automation toolso
153、rObservability tools for issue detection and rollbacksorVersion controls for secure rollbacksAddressing poisoned pipeline risks with access controls orPipeline-scanning security tools-Not using specific tools for securityDigital signature creationHow do you create and validate digital signatures for
154、 your artifacts and containers?Automatically generated and validated as part of CI processorContainer registry enforces the use of digital signatures for all containersorDedicated team responsible for managing digital signatures Cryptographic tools create them for all artifacts and containers before
155、 deploymentorGenerated and verified using blockchain technologyorCombination of public and private keys to ensure authenticityorFollow industry best practices for creating and validating digital signatures-Third-party services create and validate digital signaturesorManually create and validate digi
156、tal signatures when necessaryWe dont currently use digital signatures for our artifacts and containers455.Process AutomationMaturity of Software Supply Chain Security Practices 2024Further efforts from organizations should be made towards their approaches to pipeline ownership.Moving pipeline owners
157、hip towards specific security-focused teams,and to organization-wide standardized approaches,can secure your SSC.It helps facilitate a consistent and high level of security in your CI/CD pipelines,which sets a minimum bar that no developer or team falls beneath.Further,should issues emerge,standardi
158、zed pipelines lead to uniform changes within your organization,and no weak points persist.For process automation,we find that 54%of developers are in either the high-or elite-maturity group.This is a positive result as improving the maturity of process automation not only leads to more secure CI/CD
159、processes but also creates more efficient workflows that allow developers to deploy secure software promptly with minimal security disruptions.Unautomated processes lead to developers spending more time managing builds and addressing vulnerabilities,reducing the time they can spend innovating and so
160、lving novel problems.A positive mark can be seen with the practices developers use to mitigate security risks in their CI/CD pipelines,with 27%engaging in elite-maturity practices and 56%high-maturity.This again indicates that developers are thinking of security and are keeping it at the front of th
161、eir minds during their development.However,34%of developers are not using cryptographic signatures and 9%are using a low-maturity approach.Cryptographic signatures are crucial to securing an organizations pipelines,and failure to do so introduces risks for malicious code changes.This is a practice d
162、evelopers should focus on implementing,and a fully automated process can reduce developer time and human error.465.Process AutomationMaturity of Software Supply Chain Security Practices 2024Developers maturity for aspects of Process Automation maturity%of developers(n=821)14%9%11%34%19%7%9%18%20%15%
163、28%48%31%56%45%38%19%25%27%13%16%CI/CD security practicesPipeline ownershipPipeline security risk mitigationDigital signature creationProcess automation maturity(consistency)NoneLowMediumHighElite475.Process AutomationMaturity of Software Supply Chain Security Practices 2024Developers and organizati
164、ons that can leverage greater automation maturity to promptly and systematically address vulnerabilities in their build process,are able to promptly address issues discovered and leads to secure and reliable deployments.Similar to the impact of maturity of delivery performance on the time to address
165、 vulnerabilities in build processes,process automation maturitys strong correlation with not only speed but knowledge indicates the wide range of vulnerabilities that low-maturity developers are exposed to.With build processes introducing steps and stages that developers may not have full oversight
166、over,increasing maturity ensures standardized approaches with high levels of security for all developers involved.Process automation aims for more secure and reliable deployments,which we can assess through how long it takes developers or their teams to address vulnerabilities during build against t
167、heir delivery performance maturity.As seen with other areas of SSC security maturity,increased maturity is associated with both faster response times and a greater ability to provide an estimate.52%of developers in the low-maturity group were unable to provide a time to fix,compared to just 3%of tho
168、se in the elite-maturity group.For those with elite delivery performance maturity,24%of the developers could address vulnerabilities in less than eight hours,compared to 21%for low maturity.Insights485.Process AutomationMaturity of Software Supply Chain Security Practices 2024Process Automation matu
169、rity against time to address vulnerabilities in the build process24%24%18%21%31%22%19%11%25%27%27%11%12%12%7%4%5%5%9%28%52%EliteHighMediumLowAutomation maturity against time to address vulnerabilities in the build process 8 hours8 to 24 hours1 day to 1 week1 week to 1 month1 to 3 monthsMore than 3 m
170、onthsNot sure/I dont knowQuestion asked:How long does it take your team to fix vulnerabilities or security issues that you identify in the following stage of your software development lifecycle?:At build-time in CI/CD pipelines%of developers in each maturity performance group(n=692)0 06 6Remediation
171、 Practices506.Remediation PracticesMaturity of Software Supply Chain Security Practices 2024For each aspect,the most mature practice a developer or organization is engaged in translates to:Elite(4 points),High(3 points),Medium(2 points),Low(1 point),None(0 points).The maximum score for a practitione
172、r is,therefore,24 points.Overall maturity for remediation practices is grouped as follows:Elite(21-24 points)High(15-20 points)Medium(9-14 points)Low(0-8 points)Remediation practices identifies the practices organizations engage in to surface and identify vulnerabilities in runtime environments,as w
173、ell as address vulnerabilities in running applications and services.Applications in runtime are an area where organizations must devote exceptional care to ensure that customers and users are not exposed to vulnerabilities.To assess maturity on remediation,developers were asked about various aspects
174、 of this SSC security area,such as container scanning frequency and their use of SBOMs.Depending on the developers answers to each of these questions,we categorize them as elite-,high-,medium-,or low-performers in each of these aspects.The table below summarizes how we measure performance on each of
175、 these aspects as well as on remediation practices in general.516.Remediation PracticesMaturity of Software Supply Chain Security Practices 2024Aspects of remediationMaturity clustersEliteHighMediumLowNoneContainer scanning frequencyHow often do you or your team scan your container images for securi
176、ty vulnerabilities?DailyorHourly/continuouslyWeeklyorDuring buildMonthlyorDuring deploymentOccasionallyWe dont scan our container imagesSurfacing runtime security issuesWhat security practices do you include at runtime to surface security issues?Real-time protection mechanismsor Interactive Applicat
177、ion Security Testing(IAST)Proactively monitor and detect security anomaliesorBehavior-based anomaly detectionConduct security audits Prioritize performance monitoring and complianceWe dont follow any specific approach for runtime security monitoringContainer trackingHow do you keep track of which co
178、ntainer images are running in production?Tools track production container images with a historyorComprehensive solution to manage production container imagesTools track production container images,but not change historyAd hoc queries to identify production container imagesBasic method to track produ
179、ction container images,lacking detailsNo dedicated process to monitor production container images 526.Remediation PracticesMaturity of Software Supply Chain Security Practices 2024Aspects of Software IntegrityMaturity clustersEliteHighMediumLowNoneSBOM generationDo you or your organization generate
180、SBOMs for the software or services that you build?If so,how?Automatically generated and saved during build process for all servicesAutomatically generated and saved during build process for some servicesManually generated when requestedWe dont generate SBOMsI dont know if we generate SBOMs/I do not
181、know what an SBOM isInformation within SBOMsWhat type of information do you include in your generated SBOMs?Automatically generate signed SBOMs with verifiable attestationInformation on the origins of the software and components orVulnerability information including details about impactBasic depende
182、ncy information for indirect dependenciesBasic dependency information for direct dependenciesWe dont generate SBOMsSBOM storage and analysisHow do you store and analyze SBOMs that you receive(including SBOMs from external sources)?Automatically and continuously scan SBOMs upon receipt and maintain a
183、n inventory for analysisA solution that maintains an inventory of SBOMs,scanned on a regular basisManually scan SBOMs for vulnerabilities when we receive them,and store themWe manually scan SBOMs upon receipt for vulnerabilities We dont currently require SBOMs for servicesorWe dont generate SBOMs536
184、.Remediation PracticesMaturity of Software Supply Chain Security Practices 2024Low remediation maturity not only makes developers and their organizations less capable of surfacing and addressing vulnerabilities in runtime environments,but they are also placing themselves at unnecessary risk of compl
185、iance failures.Compliance failures are not only associated with customer risk and dissatisfaction,but also fines and punishments,and within industries like financial or governmental services the possible consequences can be very severe.The inability to have a full understanding and audit of possible
186、 vulnerabilities poses substantial risks to organizations and their customers that should be a priority to address and improve processes.Remediation practices maturity is an area of SSC security maturity where we see the largest proportion of respondents receiving a low maturity score,44%.A major dr
187、iver of this is the low adoption of SBOMs,which is further impacted by the prevalence of low-and medium-maturity practices when SBOMs are a part of the development lifecycle.However,beyond the generation and analysis of SBOMs,we also observe large divides in maturity for other contributions to the r
188、emediation maturity metric.546.Remediation PracticesMaturity of Software Supply Chain Security Practices 2024On other aspects of remediation maturity,53%of developers reported that the container tracking practices they used were within the elite maturity bracket,but 29%of developers carried out no c
189、ontainer tracking.Similarly,45%of developers reported elite maturity practices for surfacing issues in runtime environments,with 23%engaging in no specific approach or practices.This can lead to a large proportion of developers,and the organizations they work for,being left behind when it comes to i
190、mplementing mature remediation practices.SBOMs,when implemented well,act as a record of historical truth that allows build-time all the prevention of suspicious builds being deployed to production.Further,their ability to act as an integrated part of the build-time allows suspicious builds to be dep
191、loyed to production,highlighting that their value extends to many areas of vulnerability prevention and detection.556.Remediation PracticesMaturity of Software Supply Chain Security Practices 2024Developers maturity for aspects of Remediation Practices maturity%of developers(n=797)23%29%30%57%61%15%
192、6%8%26%6%5%44%30%10%5%11%8%13%22%41%17%5%16%21%3%24%15%45%53%18%7%18%11%Container scanning frequencySurfacing runtime security issuesContainer trackingSBOM generationInformation within SBOMsSBOM storage and analysisRemediation practices maturity(availability)NoneLowMediumHighElite566.Remediation Pra
193、cticesMaturity of Software Supply Chain Security Practices 2024Secondly,we see a general trend with reduced response times as the remediation maturity increases from low to elite.However,we see a peak in those with medium remediation maturity scores.This may be a consequence of more than half of dev
194、elopers(53%)in the medium remediation maturity group are working at organizations with less than 100 employees.As such,they may have less complex runtime environments with fewer containers in production.This means that they are able to address vulnerabilities promptly despite using less mature remed
195、iation practices.However,more mature practices also aim to make it easier to discover vulnerabilities,which may be missed without developers and organizations employing the most mature practices.Examining the time to address vulnerabilities in runtime environments against remediation maturity shows
196、similar trends to other areas of SSC security maturity.As maturity increases there is a greater knowledge of how long vulnerabilities take to address,with no developers in the elite remediation maturity group being unable to provide a time estimate.Insights576.Remediation PracticesMaturity of Softwa
197、re Supply Chain Security Practices 2024Put together,this indicates that addressing vulnerabilities in runtime environments is more complicated than simply adopting better practices.However,the reduction in the proportion of those who are unsure,with none of those with elite remediation practice matu
198、rity being unable to estimate a time,emphasizes that improving maturity helps improve velocity and knowledge of processes.As discussed previously,greater knowledge of how long it takes to address vulnerabilities indicates a greater understanding of the processes that are involved in addressing them
199、and a reduced chance of unsecure or improper methods that may still leave organizations exposed.As discussed above,addressing vulnerabilities in runtime environments follows a different trend than the other areas of the SSC when it comes to maturity against time to address.As previously highlighted,
200、time to address vulnerabilities is positively correlated to both smaller organizations and higher maturity,while higher maturity is associated with larger organizations.This highlights the particular importance of high-and elite-maturity remediation practices for large organizations,to prevent all t
201、he related issues with failure to do so.Insights586.Remediation PracticesMaturity of Software Supply Chain Security Practices 2024Remediation Practices maturity against time to address vulnerabilities in runtime environments30%23%32%24%17%23%23%17%29%24%20%23%12%20%11%8%12%3%4%3%4%10%25%EliteHighMed
202、iumLowRemediation maturity against time to address vulnerabilities in runtime environments 8 hours8 to 24 hours1 day to 1 week1 week to 1 month1 to 3 monthsMore than 3 monthsNot sure/I dont knowQuestion asked:How long does it take your team to fix vulnerabilities or security issues that you identify
203、 in the following stage of your software development lifecycle?:During runtime monitoring in production%of developers in each maturity performance group(n=689)0 07 7Overall software supply chain security maturity score 607.Overall SSC Security Maturity Score Maturity of Software Supply Chain Securit
204、y Practices 2024Just 7%of developers surveyed are in the elite SSC security maturity group,indicating that across all five areas,they and their organizations are engaging in some of the most secure and mature practices.A further 40%are in the high SSC security maturity group,representing developers
205、whose teams and organizations are showing high maturity in many areas of the SSC,but some are underperforming in one area,which is lowering their overall SSC security maturity.For a third of the developers in the high-maturity group,remediation is the area they are performing worst.This is unsurpris
206、ing given the poor maturity scores for this area,but it highlights that this is a key area that organizations need to improve on,especially those who are otherwise performing well in the four other areas.Based on developers performance across the five individual areas of SSC security maturity,we are
207、 able to create a single combined SSC maturity score.This score is an assessment of a developer and their organizations overall performance for all areas of the SSC.This is determined by taking the maturity score for each of the five areas and converting it to points:elite(4 points),high(3 points),m
208、edium(2 points),and low(1 point).These are added together to give the overall SSC security maturity score,which is categorized as such:Elite(18-20 points)High(13-17 points)Medium(8-12 points)Low(5-7 points)617.Overall SSC Security Maturity Score Maturity of Software Supply Chain Security Practices 2
209、024Developer maturity for each area of SSC and overall SSC security maturity%of developers(n=831)15%9%21%18%44%12%34%31%27%28%22%41%43%45%41%38%24%40%8%15%11%16%11%7%Software Efficacy MaturitySoftware Integrity MaturityDelivery Performance MaturityProcess Automation MaturityRemediation Practices Mat
210、uritySoftware Supply Chain Secuity(SSCS)MaturityLowMediumHighElite627.Overall SSC Security Maturity Score Maturity of Software Supply Chain Security Practices 2024Developers at organizations with elite SSC security maturity are overall aware that their organization is performing well,with 53%rating
211、their organization five stars and 47%rating it four stars.This split may indicate one of the reasons these developers and their organizations score so well,as they may still be comparing their actions against areas where they are not performing as well as they think they can,even while already achie
212、ving excellent results.In other words,a mark of elite SSC security maturity may be a focus on continuous improvement in processes to attain and maintain secure and mature practices throughout their SSC.Developer Perceptions of an organizations SSC Security MaturityWhile we have previously highlighte
213、d that developers are often more likely to be engaged in more secure practices than their organizations enforce through policy and guidance,we can also understand how well developers assess their organizations overall SSC security maturity.Developers were asked to score their own organizations SSC s
214、ecurity on a scale of one to five stars,where one star represented“poor”and 5 stars“exemplary”.This allows us to check how good developers are at rating their organizations accurately to our assessment of their organizations performance,and highlight how developers understanding of their own SSC sec
215、urity maturity can differ from reality in crucial ways.637.Overall SSC Security Maturity Score Maturity of Software Supply Chain Security Practices 2024The perceptions of developers at low SSC security maturity organizations are a greater concern.8%gave their organization a five-star rating and 12%a
216、 four-star score.This indicates that many developers appear to be unaware of good security practices and how exposed their organization may be.Similarly,a further 39%giving their organization three stars further highlights that while these developers may be aware of their shortcomings,they appear un
217、aware of how far behind their organizations are.This not only means these developers and organizations are exposed to vulnerabilities,but the organization as a whole is missing out on many improvements to the overall efficiency of their SSC.Taken as a whole,developers are generally aware of how thei
218、r organization performs.We see decreasing ratings as we move from elite to low SSC security maturity.However,looking beyond the trend indicates troubling observations.37%of developers at high SSC security maturity organizations gave their organization a five-star rating.While these organizations are
219、 not the most troublesome,these developers may be less likely to consider further improvements as worthwhile,even though they have areas to improve.647.Overall SSC Security Maturity Score Maturity of Software Supply Chain Security Practices 2024Crucially,when leaders implement mature SSC security pr
220、actices,developers assessment of the current risk to their SSC may underestimate problems that do not fall under their direct responsibility.As such,technology leaders should focus on building golden templates to be followed and integrated checks throughout their SSC,to move the cognitive and manage
221、ment workload away from developers,allowing them to focus on what they do best.Developers in the medium SSC security maturity group who overestimated their organizations performance repeatedly performed well in one area that impacts the SSC security maturity,while receiving poor maturity in all othe
222、r areas.This emphasizes two points we have seen throughout:a developers personal security focus and a lack of organizational rigor in security.Developers are repeatedly involved in mature security practices when asked about practices they have specific domain over,while engaging in less mature pract
223、ices at the organizational level.657.Overall SSC Security Maturity Score Maturity of Software Supply Chain Security Practices 2024Developer maturity for each area of SSC and overall SSC security maturity Proportion of Developers in each SSC security maturity group7%Elite40%High41%Medium12%LowProport
224、ion of Developers by SSCS Maturity14%4%27%12%39%35%17%12%34%44%47%8%15%37%53%LowMediumHighEliteDeveloper Ratings of Organisations SSCM against Overall SSCM Metric Performance1 star2 stars3 stars4 stars5 starsQuestion asked:On a scale of 1 to 5 stars,where 5 stars is exemplary and 1 star is poor,how
225、would you rate your organizations software supply chain(SSC)security?%of developers in each SSC security maturity group|%of developers(n=791)667.Overall SSC Security Maturity Score Maturity of Software Supply Chain Security Practices 2024Developers who received better SSC security maturity scores we
226、re more likely to have addressed more vulnerabilities,as well as being more likely to know how many.This matches observations discussed previously,where greater maturity is associated with greater awareness of ongoing security-related incidents and response times within the organization.SSC Security
227、 Maturity and Fixing VulnerabilitiesMature SSC security is composed of minimizing the introduction of vulnerabilities into the SSC,the thorough identification of vulnerabilities should they be discovered,and fixing them in all instances when discovered.In previous sections,we highlighted a correlati
228、on between quicker response times and elite or high maturity in that specific area of the SSC.Further,we asked developers how many vulnerabilities their team had addressed within the last 12 months.677.Overall SSC Security Maturity Score Maturity of Software Supply Chain Security Practices 2024Howev
229、er,what this result suggests is that many organizations with poor security practices are unaware of the vulnerabilities that may exist within their SSC.Organizations that have low SSC security maturity are likely unaware of how many vulnerabilities are in their SSC,and how much risk they and their c
230、ustomers are exposed to.The higher number of vulnerabilities addressed by elite and high-performing organizations suggests that the more security practices developers are engaged in,the better they are at identifying and addressing issues.Roughly a third of developers in both instances addressed bet
231、ween one and five vulnerabilities in the last 12 months.More impressively,accuracy increased 12 times over for elite-performing organizations(36%)for catching more than 20 vulnerabilities in the last 12 months as compared to low-performing organizations(3%).While there is a caveat that we find a hig
232、her concentration of elite performers in larger organizations,which likely means they have a higher number of complex applications that introduce more opportunities for vulnerabilities.687.Overall SSC Security Maturity Score Maturity of Software Supply Chain Security Practices 2024For technological
233、leaders wanting to develop software that is more secure,has fewer vulnerabilities,and is able to address vulnerabilities discovered effectively,they should be looking to implement high-and elite-maturity practices from all areas of the SSC.These practices are included in the chapters for each area o
234、f the SSC.The relationship between SSC security maturity performance and discovering and addressing more vulnerabilities leads to a key conclusion:high and elite maturity throughout the entire SSC is key to building safe and secure software.Elite SSC security maturity requires developers to be engag
235、ed in elite practices across all five areas of the SSC.While those in the medium SSC security maturity group are able to have mature practice in one area,they have low maturity in other areas.Despite their strong performance in one area,they are still less likely to discover and address as many vuln
236、erabilities,on average,as those with high or elite maturity in all areas.697.Overall SSC Security Maturity Score Maturity of Software Supply Chain Security Practices 2024Number of vulnerabilities addressed by a developer or their team in the last 12 months for each SSC security maturity group4%15%21
237、%8%20%37%35%46%46%33%27%28%10%6%24%10%6%12%5%3%EliteHighMediumLowNot sure/I dont know01-56-1011-20More than 20Question asked:In the last 12 months,how many security vulnerabilities or threats required your teams immediate attention due to their impact or severity?%of developers in each SSC security
238、maturity group(n=751)Overall SSC security maturity and number of vulnerabilities addressed by them or their team707.Overall SSC Security Maturity Score Maturity of Software Supply Chain Security Practices 2024As the number of employees at an organization increases,we see a trend where the proportion
239、 of high-and elite-mature performers increases,as well as a decrese in the proportion of poor performers.Larger organizations are likely to have more resources,in terms of capital and humans,to dedicate to security-related activities.Similarly,large organizations are also able to have dedicated secu
240、rity and DevSecOps teams which can help ensure secure practices and mature guidelines are instituted throughout the organizations SSC.SSC Security Maturity and Different Organization SizesAs SSC security maturity performance is assessed on both developer and organization-wide practices,it is worth c
241、onsidering the possible impact of organization size,in terms of employees,on SSC securty maturity scores.717.Overall SSC Security Maturity Score Maturity of Software Supply Chain Security Practices 2024Another important consideration is that larger companies are likely to be more cognizant of the co
242、nsequences of poor security in terms of fines and legal ramifications.As such,while they may be less specifically focusing on SSC security,their wider efforts are leading to positive results for SSC security maturity.Further,while SSC security is a relatively new area for developers and organization
243、s to focus their attention towards,many of the most mature practices for many aspects integrate the industry-best DevOps practices.In a similar vein,larger organizations are likely to have more complicated code bases,a larger number of deployments,as well as more developers interacting and making ch
244、anges to code.As such,they are more likely to be investing in methods for tracking changes,automating their deployments,and implementing methods to identify containers in production.While all of these are only a small part of SSC security,their use has benefits outside of security,which is leading t
245、o wider adoption and the positive results we see for some organizations already.727.Overall SSC Security Maturity Score Maturity of Software Supply Chain Security Practices 2024Changes in policy,technology purchases,and implementation of guidelines may have to go through many individuals and teams,s
246、lowing down their ability to adapt to the industrys best practices.However,this offers a lifeline to smaller organizations.They may have fewer resources at their disposal,but they can rapidly implement and propagate changes and pivot to better practices.However,we saw a small decrease in the proport
247、ion of elite-and high-maturity developers at the largest enterprises.While these organizations benefit from increased resources to dedicate towards security,their size may be introducing greater organizational inertia than smaller enterprises.737.Overall SSC Security Maturity Score Maturity of Softw
248、are Supply Chain Security Practices 2024SSC security maturity performance at different organization sizes20%13%9%6%9%44%41%40%38%43%32%39%46%46%44%4%7%5%10%5%Micro-business(2-20 employees)Small business(1-100 employees)Mid-market organisation(101-1,000 employees)Enterprises(1,001-10,000 employees)La
249、rge enterprises(10,000+employees)Overall SSCS Maturity for Different Organisation SizesLowMediumHighEliteQuestion asked:What is the size of the organization that you work for?%of developers at each organization size(n=658)0 08 8Conclusion and Next Steps758.Conclusion and Next StepsMaturity of Softwa
250、re Supply Chain Security Practices 2024Implementing the elite-and high-maturity practices associated with each area of the SSC is key to developers and organizations increasing the security of their SSC.Creating effective practices will also require organizations to focus on developing templates and
251、 guidelines that match the industry-best practices highlighted throughout this report.These security-focused golden paths reduce the amount of time and energy developers are required to spend on ensuring that their code is compliant with their organizations security practices.Similarly,technological
252、 leaders introducing more automated and integrated checks helps offload the workload of developers and prevents non-compliance through proper provenance and attestations.This includes safeguarding build systems from unsecure practices with a chain of trust to propagate across the SSC.This can also b
253、e achieved by enabling CI/CD workflows that validate software artifacts and confirm the expected build process to prevent suspicious build activity from being promoted.This report marks the first assessment of the maturity of the industrys SSC security practices.We find that commitment to ensuring s
254、ecurity throughout its SSC is clearly of importance to the majority of organizations.However,there is still a long way to go to ensure that all are performing exceptionally.Currently,the industry is split into two camps,with almost half of the developers surveyed falling into the high-performance ma
255、turity groups(40%high maturity,7%elite),and 53%developers in the lower-performance maturity group.However,throughout the report,we have identified various practices that developers and leaders can implement to improve their SSC security.While elite maturity is the aspiration,it is crucial that those
256、 in the low and medium SSC security maturity groups make changes to achieve at least high maturity.768.Conclusion and Next StepsMaturity of Software Supply Chain Security Practices 2024Larger organizations are overall performing better but may struggle to adapt to all of the best practices for every
257、 area of the SSC due to the scale of their operations.These organizations are likely to benefit from elevating security and incident teams to develop high-and elite-maturity practices that can be enforced and applied throughout the entire SSC for all teams.Having teams that can accurately direct and
258、 respond quickly to emerging threats at runtime,with continuous security monitoring in the SSC,cuts down alert storms and prolonged production downtimes.By standardizing practices on security monitoring and automation best practices throughout an organization,the performance of the SSC security matu
259、rity for the organization can be increased,with the goal of preventing further business disruptions.Smaller organizations are those that are most in need of improving security in their software delivery processes.While they may lack the amount of resources that are available to the largest organizat
260、ions,their smaller scale allows them to pivot and adopt improved security practices and workflows should they commit to this vital area.Improving security early reduces organizations exposure to vulnerabilities early in development but also helps improve their build and release pipeline by automatin
261、g practices,increasing the ease at which deployments can be managed and reducing the amount of rework done by standardizing systems.Further,having policies as-code accelerates progressive delivery,as builds are deployed continuously to an auditable and immutable state,to prevent human error and misc
262、onfiguration.778.Conclusion and Next StepsMaturity of Software Supply Chain Security Practices 2024There is a large range of practices organizations can begin implementing to improve the security of their SSC,and everyone benefits from the industry continually striving to improve their security stan
263、dards.Some of the most impactful practices across the SSC include introducing formal and effective policies around the use of open source software and packages.Having dependency analysis and vulnerability management processes allow teams to understand whats in their open source software components.T
264、his also allows teams to assess the impact radius of security threats in their codebase.This has a large impact on efficacy maturity and is an aspect that currently has a lower proportion of high-or elite-maturity practices.With an increased awareness of how their organization is now performing,we b
265、elieve it is a good moment for leaders at technology companies to explore and implement some of the best practices to allow them to build more secure software,more efficiently,and more reliably.It is crucial technology leaders verify their application pipelines are compliant with industry standards,
266、such as SLSA requirements,to improve their security posture and avoid the associated costly fines and penalties.788.Conclusion and Next StepsMaturity of Software Supply Chain Security Practices 2024We found that organizational culture and practices that are the responsibility of the organization are
267、 two areas of SSC security that have a higher proportion of low-maturity practices.While developers may think about security while they write and build code,ensuring the same level of security is maintained within an organizations guidelines is an area that is currently being underserved.Practices t
268、hat involve the interaction of developers within their organizations systems and processes repeatedly show a low proportion of high-maturity practices,reinforcing that organizations and leaders are crucial to implementing strong and secure practices.Similarly,ensuring that there are formal and well-
269、managed methods for communicating about vulnerabilities within an organization may be less obvious as an area to invest resources.However,without these,the ability to respond to vulnerabilities surfaced is reduced.Further,by introducing digital signatures throughout their SSC,developers can see larg
270、e benefits to their SSC security as correct implementation sees benefits across many areas,and significantly improves their maturity performance.Another area developers seek to make large impacts on their performance is the use of SBOMs.The generation,analysis,and storage of these is a strong practi
271、ce that can better help address vulnerabilities and lead to improvements in the maturity of SSC security.This is further emphasized by greater methods exist for SBOMs to be indexed and managed alongside Vulnerability Explorers that increase the ability for developers to generate actionable insights
272、when needed.798.Conclusion and Next StepsMaturity of Software Supply Chain Security Practices 2024Overall,while almost half of developers are showing high or elite maturity for their SSC security maturity,considerable attention has to be applied to improve the vulnerability exposure of those in the
273、low and medium SSC security maturity performance groups.Guidance on the best practices to implement can be found in the tables for each area of the SSC,showing the elite-and high-maturity practices associated with all aspects of SSC security maturity.AppendixDemographics of RespondentsMethodologyApp
274、endix-Demographics of Respondents A81Geographic distribution of respondents27%22%11%11%8%7%6%6%1%Western Europe&IsraelNorth AmericaMiddle East&AfricaEast Asia ex.Greater ChinaGreater China areaSouth AsiaEastern Europe,Russia&FormerCISSouth AmericaOceaniaGeographic distribution of respondentsQuestion
275、 asked(derived):Which country are you based in?%of developers(n=831)82Appendix-Demographics of Respondents BExperience(years in software development)distribution of respondents3%9%24%20%18%26%1 year1-2 years3-5 years6-10 years11-15 years16+yearsExperience(years in software development)distribution o
276、f respondentsQuestion asked:How many years have you been working in the software development and/or technology sector?%of developers(n=831)83Appendix-Demographics of Respondents COrganization size(employees)distribution of respondents22%25%23%18%12%Micro-business(2-20 employees)Small business(21-100
277、 employees)Mid-market organisation(101-1,000 employees)Enterprises(1,001-10,000 employees)Large enterprises(10,000+employees)Organization size(employees)distribution of respondentsQuestion asked:What is the size of the organization that you work for?%of developers(n=831)84Appendix-Demographics of Re
278、spondents DDistribution of development activities and involvement of respondents67%52%48%45%44%42%37%33%32%30%23%Writing andcontributingcodeBuilding andintegrating codeTeamcollaboration andcommunicationWriting andconducting testsDeploying andmonitoringapplicationsManagingsoftwareconfigurationsCoordi
279、natingsoftware releasesEnsuring securityand complianceAddressingsecurity incidentsand issuesCreating userguides anddocumentationGathering andusing feedbackDistribution of development activities and involvement of respondentsQuestion asked:Which of the following software development activities are yo
280、u involved,in a professional capacity?%of developers(n=831)85Appendix MethodologyEvery SlashData survey is monitored and cleaned to ensure the highest standards of retained responses.Our proprietary cleansing is designed to mitigate and remove opportunistic,fraudulent and bot responses.Consisting of
281、 multiple criteria formulated around logic rules,speed,consistency and response taking behaviour;this holistic assessment is key to our continued success.MethodologyIn Q3 2023,SlashData designed and ran an online survey in conjunction with Red Hat to measure the state of software supply chain securi
282、ty in the technology sector.We conducted the analysis presented in this report based on the 831 respondents who replied to this custom survey.Many of the questions in this custom survey are specifically designed and co-created to address Red Hats business objectives.Where possible,however,we compare
283、 distributions of responses on topics such as programming language use and developer experience to SlashDatas Developer Nation Surveys,a bi-annual survey that reaches over 40,000 developers each year.86Appendix MethodologyWe use the insight afforded to us from our Developer Nation surveys to help ca
284、librate our analysis of data in our smaller,custom surveys.Utilising the geographical distributions derived from our larger surveys,we weight the data based on the region where the developer is located.By weighting,what we mean is we assign a numerical value to individuals based on their regions rep
285、resentation to account for discrepancies in the sampled population and correct,where possible,for sampling biases.The SlashDatas Developer Nation Survey reaches developers from more than 160 countries across the globe and is designed to collect information on a variety of topics pertinent to those w
286、orking in the technology industry.On each survey,we solicit information from developers on their usage of prominent technology companies developer resources,including Red Hat Hence,due to the larger,more representative sample we repeatedly collect from our Developer Nation Surveys,SlashData can esti
287、mate the distribution of developers engaging with,building on,and developing for Red Hat around the world.87Appendix MethodologyApplying weights to the data affords multiple benefits.For example,in our research,we consistently find that behaviour and perceptions vary based on geographical location.H
288、ence,weighting the data by region aids in correcting biases caused by over/under-representation from various regions and enables the analysis to offer more representative insight into the business and research objectives.An additional benefit to weighting data is that it can more easily allow compar
289、ison to past and future custom surveys even when the geographical distribution of the respondents varies greatly.The percentages and distributions presented in the report used weighted data.For calculating the maturity scores for individual questions,single-choice options had a maturity score applie
290、d based on their maturity categorisation.For multiple choice questions,careful effort was undertaken in the analysis to acknowledge that engaging in multiple less mature practices can be equivalent to a single higher maturity option.Who developers areWhere they are goingWhat they buyDeveloper popula
291、tion sizingDeveloper segmentationUnderstand developers.Inspire the future of technology.Why developers are adopting competitor products and how you can fix thatEmerging platforms augmented&virtual reality,machine learningWe survey 30,000+developers annually across Web,Desktop,Cloud,Mobile,Industrial IoT,AR/VR,Machine Learning and Data Science,Games,Consumer Electronics and Apps/Extensions for 3rd party ecosystems-to help companies understand who developers are,what they buy and where they are going next.