Who's responsible for securing the software supply chain?

A new poll of over 500 security decision makers and developers shows a disconnect and even some distrust between CISOs and developers relating to how security-conscious each department is within the organization and what their roles are.

The Harris Poll conducted for Chainguard finds a majority of both developers and CISOs view software supply chain security as a top priority in their roles (70 percent and 52 percent respectively).

But there’s confusion over who is responsible for preventing and mitigating security issues, how well CISOs understand developers' day-to-day tools, and how well developers understand the risk associated with aspects of their job and the tools they use.

"Finding alignment between developers and security leaders on software supply chain security is a difficult challenge for even the most well-resourced and staffed organizations," says Kim Lewandowski, co-founder and chief product officer at Chainguard. "The findings in the report reflect the tension in the security landscape, as organizations are re-thinking how to maintain developer velocity and the advantages of open source technology, while closing the gap on a new class of vulnerabilities that software supply chains have accrued."

Among the findings, only 43 percent of developers believe that CISOs are 'very familiar' with how container images fit into their work, which is low when compared to other aspects of how developers perceive their security team to understand their work. These include open-source software libraries and projects (61 percent), source code repositories and source code management systems (60 percent), and software build tools (59 percent).

A concerning percentage of both developers and CISOs report vulnerability scanning false positive fatigue. 36 percent of CISOs and 34 percent of developers report that an overwhelming number of scanner false positive vulnerability alerts are among the biggest obstacles an organization faces in ensuring software supply chain security. Both groups also cite consumption of vulnerable software and a lack of cohesion between CISOs and developers as main obstacles to software supply chain security.

It's also the case that 77 percent of CISOs and 68 percent of developers agree that the need to prioritize security causes tension between their teams. The report found that developers don't want their day-to-day productivity to be affected by security tools or requirements, with 43 percent strongly agreeing that software supply chain security practices shouldn't make it more difficult for them to get their work done.

The full report is available from the Chainguard site.

Image credit: [email protected]/depositphotos.com