Malicious actors are gaining the upper hand with exponentially increasing attacks against vulnerable software supply chains. Organizations are struggling to fight back due to a lack of internal agreement on security capabilities and practices. Recent survey results reveal multiple disconnects between senior executives/managers (“executives”) and frontline staff (“executives”).
Executives tended to have a relatively optimistic view of their organization's security posture. Compared to practitioners, executives believed they implemented more security measures, used more solutions, and defended more effectively against open source risks. Similarly, executives underestimated the amount of time their teams spend fixing vulnerabilities and approving software packages.
When it comes to incorporating artificial intelligence (AI) and machine learning (ML) into software applications and automated security scanning, executives and practitioners also had very different perceptions.
Survey findings also revealed region-specific concerns regarding security in SSCs.
North America
North America (NA)-based organizations tend to adopt ML models more quickly than those in Europe, the Middle East, and Africa (EMEA) and Asia Pacific (APAC), and US organizations also seem to be more comfortable using AI and ML tools to write code.
These findings suggest that the AI race in North America, where Silicon Valley tech giants are investing heavily in AI development, is more intense than in the EMEA and APAC regions.
Europe, Middle East, and Africa
The survey results show that EMEA organizations are more cautious when it comes to SSC risks than other parts of the world: they are less likely to deploy software on Internet of Things (IoT) devices, for example, and they also appear more reluctant to integrate AI and ML in their software due to security and compliance concerns.
Compared to North America and Asia, the regulatory environment in Europe is much tougher, with organizations being more sensitive to the requirements of the General Data Protection Regulation (GDPR), Cybersecurity Law, and other important directives.
However, despite their cautious response to emerging software technologies, survey responses indicate that organisations in EMEA recognise the potential of AI and ML tools and are open to exploring how to incorporate them into their SSCs.
Asia Pacific
One notable feature of APAC-based organizations is their relative enthusiasm for incorporating AI and ML into scanning and remediation. Survey results show that these organizations have a very high comfort level with using AI and ML tools for coding.
That could be problematic: if not controlled, APAC organisations’ infatuation with these emerging technologies could expose them to greater SSC security risks.
Conclusion
Enterprise leaders are eager to close the awareness gap and adopt comprehensive, integrated solutions to strengthen SSC security. Whether based in NA, EMEA, or APAC, executives are eager to establish an integrated SSC security defense for their organizations. What's needed is a comprehensive solution that embraces automation, employs AI and ML models, and prioritizes integration across the software development lifecycle.
