Software supply chain threats increase in the AI era

Managing and securing the software supply chain end-to-end is vital for delivering trusted software releases.

But a new report from JFrog finds emerging software security threats, evolving DevOps risks and best practices, and potentially explosive security concerns in the AI era.

Based on insights from over 1,400 development, security and operations professionals, plus CVE analysis, the report reveals why looking after the supply chain is often challenging for companies amid the expanding and frenzied threat landscape faced in the current AI era.

"Many organizations are enthusiastically embracing public ML models to drive rapid innovation, demonstrating a strong commitment to leveraging AI for growth. However, over a third still rely on manual efforts to manage access to secure, approved models, which can lead to potential oversights," says Yoav Landman, CTO and co-founder of JFrog. "AI adoption will only grow more rapidly. Thus, in order for organizations to thrive in today's AI era they should automate their toolchains and governance processes with AI-ready
solutions, ensuring they remain both secure and agile while maximizing their innovative potential."

The top security factors impacting the integrity and safety of the software supply chain include: CVEs, malicious packages, secrets' exposure, and misconfigurations/human errors. As an example, the JFrog Security Research Team detected 25,229 exposed secrets/tokens in public registries (up 64 percent year-on-year). The increasing complexity of software security threats are making it harder to maintain consistent software supply chain security.

Although 94 percent of companies are using certified lists to govern ML artifact usage, 37 percent of those still rely on manual efforts to curate and maintain their lists of approved ML models. This overreliance on manual validation creates uncertainty around the accuracy and consistency of ML model security.

Worryingly, only 43 percent of IT professionals say their organization applies security scans at both the code and binary levels, leaving many organizations vulnerable to security threats only detectable at the binary level. This is down from 56 percent last year -- a sign that teams still have huge blind spots when it comes to identifying and preventing software risk as early as possible.

There's also concern about the number of new CVEs -- up 27 percent over 2023 -- particularly as many are being mis-scored. The report finds 12 percent of high-profile CVEs rated 'critical' (CVSS 9.0-10.0) by government organizations justify the critical severity level they were assigned because they are likely to be exploited by attackers.

The full report is available from the JFrog site and there will be a webinar to discuss the findings on April 24th at 9am PT.

Image credit: ALLVISIONN/depositphotos.com