63% of organisations faced software supply chain attacks

A recent global study by Checkmarx has revealed that a significant majority of organisations have faced software supply chain attacks in the recent past. According to findings from the 2024 State of Software Supply Chain Security report, 63% of the 900 AppSec (Application Security) professionals surveyed reported being victims of such attacks within the last two years, and the entirety of the respondents indicated they had experienced a software supply chain attack at some stage.

The study, which includes responses from AppSec leaders across the United States, Europe, and Asia-Pacific, highlights the escalating focus on addressing software supply chain vulnerabilities. Of particular concern is the prevalent use of open-source software, with over half (56%) of those surveyed stating that open source components make up a significant portion of their applications.

The report also identifies a worrying trend with the frequency of these attacks. While 63% of respondents faced attacks in the past two years, 18% dealt with an incident within the last year alone. This underlines the increasingly sophisticated and frequent nature of threats targeting software infrastructures.

Amit Daniel, Chief Marketing Officer at Checkmarx, emphasised the significant risk posed by open-source software. "Software supply chain security has become an active target of government regulatory and cybersecurity agencies and is top of mind for over half of global enterprises we surveyed," he said. Daniel added that it is crucial for CISOs and security leaders to educate developers about the new risks and ensure comprehensive protection across the software supply chain. He noted, "‘Malicious’ is much more than vulnerable. We have seen more attacks on the open source ecosystem in the last two years than ever before with over 385,000 malicious packages detected to date by our own Checkmarx security research team." He also highlighted Checkmarx's commitment to assisting developers through its Checkmarx One platform, which aids in safeguarding against such attacks.

The study’s findings further indicate that software supply chain security is becoming an essential focus for enterprises. Among the respondents, 75% expressed significant concern about this area, with 39% being very concerned. Additionally, 57% acknowledged software supply chain security as a top or significant area of focus for their organisation.

Despite this heightened awareness, there remain substantial challenges in the effective deployment and utilisation of security solutions for the software supply chain. While 54% of respondents are in the process of adopting or considering the adoption of such solutions, less than half of those currently requesting software bills of materials (SBOMs) from vendors possess the expertise to effectively utilise them.

The methodology behind the report involved a comprehensive survey conducted earlier in 2024, targeting 900 CISOs and application security professionals from North America, Europe, and Asia-Pacific. The participants represented organisations with annual revenues of USD $750 million or more, providing a robust dataset for the study's conclusions.

The report underscores the urgency for enhanced security measures and better education among developers and security professionals to mitigate the risks associated with software supply chains, particularly as open source software continues to play a pivotal role in enterprise application development.