Organizations don't know how to address software supply chain security

Organizations are struggling to keep up with vulnerabilities amid software supply chain complexity, with more than 40 percent still in reactive mode according to a new report from Slim.AI.

The 2023 Container Report, based on a survey conducted with Enterprise Strategy Group, shows few organizations know exactly how to address security in the upstream dependencies of the applications and the containers they run in production.

Despite dedicating significant resources to fight the influx of vulnerabilities, only 12 percent of organizations say they successfully meet their remediation goals.

Companies typically get software containers from dozens of vendors, exchanging hundreds of containers each month. The communication overhead to secure containers across company lines strains both sides, with 63 percent struggling to manage multiple software producers and 67 percent noting that external container images increase their attack surface.

A worrying 75 percent of organizations are simply sharing a vulnerability spreadsheet with the vendor's SecOps team, while 63 percent hold tedious ad-hoc meetings with vendors. Most security leaders want to have a centralized collaboration platform for managing vulnerabilities (84 percent).

One in three organizations is grappling with evolving compliance and regulatory guidelines, with 85 percent doing extra work to comply with executive orders, adding layers of complexity for IT teams. Alert fatigue is a problem too, 44 percent of organizations say they encounter vulnerabilities in production systems that must be addressed immediately several times a week, with 36 percent detecting them daily. In addition it’s estimated that more than four in 10 vulnerability alerts are false positives.

"As organizations across industries leverage development with containers and cloud services to deliver and use powerful applications, the research revealed vulnerability management challenges across the increasingly complex software supply chain," says Melinda Marks, practice director, cybersecurity for ESG. "This is a growing concern as attackers are likely to target areas where there is a high chance for mistakes or carelessness. The good news is that there are opportunities for risk burndown if you can manage your software supply chain and eliminate unneeded code components to mitigate vulnerability."

You can read more and get the full report on the Slim.AI blog. You can also sign up for a webinar to discuss the findings on January 9th at 1pm ET.

Image credit: Chan2545/depositphotos.com