Home
Unchained
News Blog

New report shows disconnect between developers and security teams on software supply chain security priorities and responsibilities

Chainguard

Inaugural survey from Chainguard and The Harris Poll reveals how software security misalignment is disrupting security and developer team workflows and collaboration, post Log4jShell and SolarWinds


KIRKLAND, Wash., November 8, 2023 /PRNewswire/ – Chainguard, the leading software supply chain security company, today released the results of its inaugural report on the perspectives of CISOs and developers when it comes to tackling software supply chain security within their organization.‍


The 2023 CISO & Developer Trends in Software Supply Chain Security Report, conducted by The Harris Poll, surveyed 520 security decision-makers (n=268) and developers (n=252) on how the different roles view overall responsibilities and expectations for software supply chain security, the importance of software supply chain security, and the pain points and successes in each team’s approach to software supply chain security.‍


The report found a majority of both developers and CISOs view software supply chain security as a top priority in their roles (70% and 52% respectively). However, there is a clear disconnect and even some distrust between CISOs and developers related to how security-conscious each department is within the organization, who is responsible for preventing and mitigating security issues, how well CISOs understand developers’ day-to-day tools, and how well developers understand the risk associated with aspects of their job and the tools they use.


‍“Finding alignment between developers and security leaders on software supply chain security is a difficult challenge for even the most well-resourced and staffed organizations,” said Kim Lewandowski, co-founder and Chief Product Officer at Chainguard. “The findings in the report reflect the tension in the security landscape, as organizations are re-thinking how to maintain developer velocity and the advantages of open source technology, while closing the gap on a new class of vulnerabilities that software supply chains have accrued.”‍


Key findings from the report include:

  • How well are developers approaching security? Depends who you ask. 72% of software developers say they are very security-conscious in their roles while only 50% of CISOs rate software developers as very security-conscious.


  • Developers report security teams don’t understand a crucial security surface area: container images. Only 43% of developers believe that CISOs are “very familiar” with how container images fit into their work, which is low when compared to other aspects of how developers perceive their security team to understand their work: open-source software libraries and projects (61%), source code repositories and source code management systems (60%), and software build tools (59%).


  • Despite disagreements on how each team views the other’s security prowess or understanding of tooling, software supply chain security is a top priority for developers and security teams alike. The report found that 92% of developers say software supply chain security is at least very important to their day-to-day work and development processes, with 39% marking it as absolutely essential. Ninety-three percent of CISOs noted effective software security as a critical component of their organizational maturity and threat / risk mitigation strategy, and 96% say effective software security practices are important to meeting government or regulatory requirements.


  • A concerning percentage of developers and CISOs report vulnerability scanning false positive fatigue. The report found that 36% of CISOs and 34% of developers report that an overwhelming number of scanner false positive vulnerability alerts are among the biggest obstacles an organization faces in ensuring software supply chain security. Both groups also cite consumption of vulnerable software and a lack of cohesion between CISOs and developers as main obstacles to software supply chain security.


  • Collaboration and communication between CISOs and developers is lacking, but there is strong alignment on desired business outcomes. CISOs (69%) and developers (64%) agree that lack of communication and collaboration between developers and security teams is a problem. Despite the tension present, both teams agree that it is absolutely essential that best practices and tooling in software security result in certain business outcomes, including customer retention (43% and 40%, respectively), meeting or satisfying procurement contract obligations (36% and 32%), fewer breaches or compromises (34% each), and developer / engineer productivity (32% and 34%).


‍“Developers and CISOs juggle numerous security priorities, often conflicting across organizations," noted Luke Shoberg, Global CISO at Sequoia Capital. "The CISO and Developer Trends in Software Supply Chain Security Report emphasizes the need for internal assessments, fostering deeper collaboration, and building trust among teams managing this critical domain. Recognizing technical and cultural obstacles, organizations have made significant strides in understanding the importance of securing the software supply chain for sustained business success.”‍


“The world of software consumption and security has radically changed. From containers to the explosion of open source components, every motion has been toward empowering developers to build faster and better,” said Avon Puri, Global Chief Digital Officer at Sequoia Capital. “But with that progress, the security paradigm has been challenged to refocus on better controls and guarantees for the provenance of where software artifacts come from and that their integrity is being maintained. The survey shows developers and security teams are wrestling with this new reality in the wake of major exploits like Log4j and SolarWinds. There is a near universal awareness of the challenges, but still a ton of uncertainty about how to best solve them in the context of trust and collaboration to secure modern developer toolchains and workflows.”‍


Balancing security priorities and developer productivity creates conflict

Developers have already been wrestling with the natural tension between “build fast and break things” and the shift-left security movement. At the same time, CISOs are under immense pressure to maintain their organization’s security and compliance posture amid rising threats to the supply chain. ‍


According to the report, nearly 8 in 10 CISOs (77%) and more than two-thirds of developers (68%) agree that the need to prioritize security causes tension between their teams. The report found that developers don’t want their day-to-day productivity to be affected by security tools or requirements, with 82% agreeing that software supply chain security practices shouldn’t make it more difficult for them to get their work done.‍


Tooling is also contributing to the tension, with 73% of developers agreeing that the work/tools their security team requires them to use interferes with their productivity and innovation. ‍


The five-year forecast on software supply chain security

While the industry has closed some gaps in the old world of software consumption, the modern reality today is faced with opening even more, including an explosion of open source software, constant upgrades and patches and new classes of exploits that target software artifacts, container images and build systems. Frameworks for software supply chain security–like Supply-chain Levels for Software Artifacts (SLSA) and the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF)–have rapidly matured and given security teams methods for how they approach policies and oversight, while giving developers more prescriptive best practices. According to the report, in alignment with the importance already placed on software supply chain security by developers and CISOs, most say that their organizations already have some tools in place to address software supply chain security. These include the adoption of Software Bill of Materials (SBOMs) (40%) and nearly half are implementing software supply chain security frameworks like SLSA (47%) and SSDF (47%). ‍


In addition to the existing adoption of software supply chain security tooling and frameworks, CISOs and developers expect changes to come in the next five years for software supply chain security at their organizations. The majority believe that prioritization of software supply chain security will increase over the next five years (85% among developers, 74% among CISOs), with almost one-third of developers saying that this will significantly increase (32% and 22% among security leaders). CISOs have a slightly more tempered approach, with 23% anticipating their company’s approach to remain the same (vs. 15% among developers). This slightly tempered outlook on prioritization by security decision-makers could be due to the fact that they themselves are more involved in and having more visibility around long-term security strategy decisions.‍


For more insight into how CISOs and developers think about software supply chain security, please read the full report. To hear from CISOs and developers in the field about the report’s results, sign up for this upcoming webinar on November 15 with Sequoia Capital’s Global CISO Luke Shoberg and Global Chief Digital Officer Avon Puri.‍


Methodology

This survey was conducted online within the United States by The Harris Poll on behalf of Chainguard from February 9-24, 2023 among 268 Security Decision-Makers and 252 Developers aged 21+ and employed full-time or part-time. The sampling precision of Harris online polls is measured by using a Bayesian credible interval. For this study, the sample data is accurate to within +/- 8.1 percentage points for Security Decision-Makers and +/- 7.4 percentage points for Developers using a 95% confidence level.‍


About Chainguard

Chainguard was founded by the industry’s leading experts on open source software, supply chain security and cloud native development and is backed by Sequoia, Spark Capital, Amplify Partners, the Chainsmokers and more. The team has worked together to build and deliver large-scale software products and enterprise services in high-growth environments like Google, Microsoft and VMWare. Core to the Chainguard offering is Chainguard Images, a comprehensive collection of minimal container images which have 97.6% fewer vulnerabilities than industry alternatives. Chainguard is trusted by Fortune 500 companies in the financial services and technology sectors to cutting-edge startups and SBMs. Its customers include the Department of Homeland Security, GitGuardian, Hewlett Packard Enterprise, Snowflake, Sourcegraph, Replicated and more. For more information, please visit: https://www.chainguard.dev/.

Share

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Get Started