Most organisations lack visibility into software supply chains

Fewer than 40% of organisations report having full observability into their software supply chain, according to new research from Cloudsmith.

The research, which surveyed 307 DevOps professionals across the US and UK, found that only 36% of organisations believe they have complete visibility into their software supply chain through their artifact management solutions.

This issue persists despite several high-profile software supply chain incidents, such as those involving XZ Utils, Log4j, and the tj-actions/changed-files case, which have drawn widespread attention to the vulnerabilities inherent in modern software development.

Cloudsmith's findings come against a backdrop of increased regulatory oversight, including the EU Cyber Resilience Act and the Cybersecurity and Infrastructure Security Agency (CISA)'s 2024 updated guidelines, which are putting additional pressure on organisations to scrutinise and secure their software supply chains.

Open-source software now forms around 90% of modern codebases, raising the stakes for organisational security. Insecure packages can introduce vulnerabilities, posing risks across the entire software delivery pipeline.

The research revealed that while 61% of surveyed software development professionals list security features as a top priority in their workflows, many still experience inefficiencies. Nearly half (46%) of respondents described their pipelines as having either no or only partial automation, with fragmented processes and limited use of a centralised artifact repository.

Nigel Douglas, Developer Relations Lead at Cloudsmith, said, "There's a clear disconnect between security goals and real-world implementation. Since open-source code is the backbone of today's software supply chains, any weakness in dependencies or artifacts can create widespread risk. To effectively reduce these risks, security measures need to be built into the core of artifact management processes, ensuring constant and proactive protection."

The challenge is further highlighted by the difficulty organisations face in balancing the speed of software delivery with the need to address security vulnerabilities. Fifty-six per cent of developers surveyed named 'Improved Security' as a primary motivator for adopting new artifact management tools.

Experiences from respondents in the survey underscored the impact that security breaches can have. One stated, "A vendor solution was compromised, leading to significant downtime and operational losses." Another commented, "Security risks remain a critical challenge as we strive for faster deployments," articulating the tensions within enterprise IT operations.

Alan Carson, Cloudsmith's CSO and co-founder, remarked, "Without visibility, you can't control your software supply chain. And without control, there's no security. When we speak to enterprises, security is high up on their list of most urgent priorities. But security doesn't have to come at the cost of speed. They may have dozens of developer teams all building different software for different purposes using different methods. DevOps leaders are crying out for a single plane to bring that together and simplify management, making security a default layer, rather than an extra obligation."

Cloudsmith's research points to a significant gap between security aspirations and operational realities among DevOps teams, with process inefficiencies and lack of centralisation contributing to limited visibility and control.