Security execs overstate supply chain security: JFrog

Security executives are overconfident in their organisations’ ability to anticipate and respond to software supply chain attacks, according to a new report released by DevOps platform developer JFrog.

The report found that while 92% of security executives believe their organisations have the tools to detect malicious open source packages, only 70% of developers agree. Meanwhile, 67% of executives believe code-level scans are conducted regularly, while only 41% of developers confirm this to be the case.

Executives also overestimate the use of AI and machine learning tools to address these threats. Over 90% of executives believe they are using machine learning models in their applications, while only 63% of developers say they are doing so.

Likewise, 88% of executives believe AI and machine learning tools are being used for security scanning and remediation processes, but only 60% of DevSecOps teams report using these tools.

JFrog SVP and CISO Moran Ashkenazi said these results are concerning in light of the finding that only 30% of respondents identified the need to address vulnerabilities in their software supply chain as a top security concern.

“The complexity of today’s software supply chain poses unprecedented risks. Despite leadership efforts to equip frontline teams with the right equipment, developers are struggling to improve efficiency and accelerate productivity due to tool sprawl, lengthy open source and ML model approvals, plus audit and compliance checks,” he said. “This discrepancy highlights the urgency for organisations to rethink their security strategies, focus more on AI/ML components, and align executives and doers on a mission to fortify their software supply chains.”

Image credit: iStock.com/matejmo