CISOs, Developers and the Software Supply Chain Security Disconnect
A new report revealed discrepancies in how CISOs and developers view their roles and responsibilities around software supply chain security.
While CISOs and developers agree that software supply chain security should be a priority for their organizations, they are still facing various pain points around supply chain security practices when it comes to communication and collaboration, according to a recent report.
New research conducted by the Harris Poll and Chainguard and released on Wednesday gathered data from 268 security decision makers and 252 developers related to the challenges that CISOs and developers face in implementing software supply chain practices in their organization. The research comes as the list of supply chain attacks against software suppliers continues to grow, and as both the private and public sectors scope out the best ways to better prevent these types of attacks.
The report found that both CISOs and developers view supply chain security as a top priority for their roles; however, while 72 percent of developers felt they are very security-conscious in their roles, only half of CISOs rated developers as very security-conscious. Furthermore, less than half of CISOs felt that developers were “very familiar” with the security risks of development and workflow tools, like open-source software libraries and projects, source code repository and source code management systems.
“Despite developers having a sense of pride about their role securing the software supply chain and believing they take a security-centric approach to their work, less than half of CISOs are fully confident that developers understand the security risks of their development and workflow tools,” according to the research. “This slightly tempered positivity about their organization’s approach to software security could be in part due to their perception that developers are not fully aware of the security risks related to aspects of their work.”
The research also highlighted tensions between security teams and developers. The majority of developers said that they don’t want their productivity and day-to-day roles to be impeded by changes in organizational approaches to software supply chain security practices. More than half of developers also said that current security tools, or lack thereof, makes it impossible to do their best work, and 73 percent agreed that the work or tools their security team requires them to use “interferes with their productivity and innovation.” At the same time, the majority of CISOs and developers agreed that there is a lack of communication and collaboration between their teams.
CISOs and developers both cited the lack of cohesion between their groups as a main obstacle to software supply chain security, along with other challenges like software vulnerabilities and lack of visibility into these flaws, immature or ineffective tooling and scanner false positives.
The good news is that both CISOs and developers fully agree on the importance of software supply chain security, and see many software supply chain security tools and practices being used in their organizations today, such as observability tools and software composition analysis or software component vulnerability scanner tools. Furthermore, the majority of both believe that the prioritization of supply chain security will continue to increase over the next five years at their organizations. Still, the report shows how security teams and developers need to better align around the implementation of software supply chain security approaches.
“Software developers want to develop software that is secure and free of vulnerabilities so they can ship the best products and applications to users and customers,” according to the report. “Security practitioners want to feel at ease knowing vulnerabilities aren’t creeping in from the beginning of the software development process, which can create mounting technical and security debt. And CISOs want to trust the software their developers build, ship and run is secure, avoiding reputational damage or missing compliance requirements. Getting all of these groups on the same page when it comes to an organization’s approach to software supply chain security is challenging.”