JFrog’s new security report highlights the hidden risks and challenges in modern software supply chains

CXOToday has engaged in an exclusive interview with Kavita Viswanath, GM & VP APAC, JFrog

1. Can you elaborate on the complexities within the modern software supply chain that JFrog’s new research has identified?

The complexity of the software supply chain has the potential to expose organizations to even greater risk than ever before for a few key reasons.

1. Polyglots: The variety of open-source packages and libraries available for use when creating applications is booming – with data showing that about half of organizations (53%) utilize 4-9 different programming languages across their organizations, while 31% use more than 10 languages. Hackers know that open source packages, and the developers who use them, are the golden ticket to security breaches. They tend to strike either by exploiting weaknesses introduced through CVEs (typically unintentional flaws by open source developers) or introducing their own malicious packages masquerading as safe open source components.
2. Rising number of vulnerabilities: There are tens of thousands of new CVEs a year, with the number growing higher YoY and 60% of professionals say their team typically spends 4 or more days remediating application vulnerabilities in a given month. That’s a quarter of working time spent on remediation and taken away from activities that drive incremental business value.
3. Good ole’ Human error: Exposed secrets and human error account for a notable portion of the potential risk in an organization’s software supply chain.
4. Increased usage of AI/ML: 90% of survey respondents said their organization uses AI/ML to aid in security efforts, and half of respondents (50%) said their organization allows developers to leverage AI/ML to assist in code creation for research purposes only. When not used properly and with the correct safety measures, use of GenAI/ML for writing or securing software can lead to the introduction of even more vulnerabilities within an organization’s SSC.

2. What are some of the hidden risks and challenges confronting organizations today as per your findings?

CISOs and their teams already know that what you bring in from the open-source community is an important area to focus efforts on, but there are other areas of concern such as:

• Leaked secrets: Thousands of corporate tokens are found in public registries every year. Corporate secrets can be exposed by developers working on open source projects in their after-hours or during dedicated personal project time.
• Misconfigurations and mistakes — the impact of human error: 2023 had no shortage of incidents where sensitive data was exposed to the internet via unsecured servers, cloud misconfigurations, exposed files containing sensitive data, and more.

3. How is AI/ML influencing security protocols and code development, according to your research?

While there’s a growing demand for AI/ML embedded software, and in all likelihood, your developers are already playing around with ML models as part of new versions of your applications. If you consider that an AI/ML-based security tool would be just 1 in potentially 10 tools used, there’s no harm in adding one into the mix. Organizations need to evaluate how impactful “AI security” infused tools actually are versus riding the hype wave and potentially causing additional alert fatigue. They also need to move quickly to bring model development into their secure SDLC by adopting security best practices for model use, such as scanning open source models

4. What are the current trends in technology adoption and how are they shaping the dynamics of the open-source community?

• The “old guard” still stands: The ecosystem surrounding the likes of Java, Python, JavaScript, etc. is so strong and ingrained that organizations feel comfortable sticking with the technologies they know work. It’ll likely be some time before we see these younger languages gain a real foothold in large enterprises – hence the reason our data shows organizations are using between 4-9 programming languages on average.
• AI is going mainstream: Without a doubt, Artificial Intelligence (AI) and Machine Learning (ML) will have a profound impact on what goes into new software, how code is written, and how software applications are secured. According to Gartner, 90% of new applications will contain machine learning models or services by 2027. So if your organization isn’t embedding ML models in your applications or using ChatGPT- or Copilot-like tools, it will be soon.
• Containerization is king: At this point, the prevalent usage of Docker, OCI, and Helm repositories is a clear indication that containerization has been widely adopted in production software assets. Now that organizations are comfortable with containers and moving to dynamic runtimes such as Kubernetes, some forward looking technologists are beginning to promote deploying Web Assembly (WASM) applications, which offer some unique benefits over containers in specific use cases.

5. Could you share some effective security strategies and practices implemented by industry leaders based on your study?

Software supply chain attacks will cost an estimated $80.6 Billion globally by 2026. Investing time and money into security efforts is clearly justified, but while bringing new capabilities to market quickly is a clear competitive advantage, organizations have to weigh the impact of security efforts on productivity and value stream delivery.

JFrog recommends ensuring that security is baked into your software development processes from the start by both manually reviewing code produced by AI generative tools, as well as incorporating security solutions such as SAST which can trustfully discover vulnerabilities as you go. This proactive approach is essential to ensuring the security of your software and responsible use of AI technologies.

6. Your report indicates that 65% of respondents in India use 10 or more application security solutions. Can you discuss the implications of this finding?

Spending unnecessary time on security tasks, sifting through results from multiple scanners, and waiting days or weeks to get approval to use a new package or library is a waste of critical time in development. Streamlining the approval process for bringing in new software packages and remediating vulnerabilities, automated curation policies, contextualized security scans, and bringing security insights directly into the developer environment is the key to delivering secure software supply chains without impacting productivity. This further supports the market-wide trend of tool consolidation with a movement away from point solutions.

7. The research reveals that 54% of respondents in India spend a week or longer remediating application vulnerabilities in a given month. What impact does this have on productivity and efficiency?

Contending with 26,000+ new CVEs every year can bog down development workflows, keeping both developers and security professionals overwhelmed. The presence of a CVE in your software doesn’t necessarily mean there’s a security impact and CVE ratings may not be the best indicator for prioritizing or identifying which CVEs need to be addressed by development and security teams. Contextualized understanding of where and how CVEs apply is important to keep developers focused on value-added activity versus remediation.