In its recently published Software Supply Chain State of the Union 2024 report, JFrog, a leading software supply chain platform provider, unveiled key insights into the industry’s landscape. The report, released on March 19, combines data from over 7,000 organizations utilizing JFrog Artifactory, original CVE analysis by the JFrog security research team, and a comprehensive survey of 1,200 technology professionals worldwide.
AI and machine learning in security
JFrog’s report underscores the pervasive use of AI and machine learning (ML) tools to bolster security measures within the software supply chain. According to the findings, 90% of respondents used AI/ML-powered tools to aid security scanning and remediation. However, the adoption of generative AI for code writing remains relatively low, with only 32% of surveyed professionals indicating its usage within their organizations.
The disparity between AI/ML adoption for security versus code generation suggests a prevailing wariness among developers regarding the potential vulnerabilities inherent in AI-generated code. This cautious approach underscores the critical balance between innovation and security within enterprise software development.
Security practices and challenges
The report sheds light on the evolving security practices and challenges organizations encounter. Notably, nearly half of respondents (47%) reported employing four to nine application security solutions, while one-third revealed utilizing 10 or more such solutions. However, despite these proactive measures, security concerns significantly impact productivity.
Approximately 40% of survey participants indicated that acquiring approval for the usage of new packages or libraries typically takes a week or longer, highlighting bureaucratic hurdles that impede agile development practices. Moreover, security teams dedicate approximately 25% of their time to remediate vulnerabilities, underscoring the resource-intensive nature of maintaining software integrity.
CVE analysis and programming language diversity
An analysis of Common Vulnerabilities and Exposures (CVEs) conducted by the JFrog security research team revealed intriguing insights. Denial of Service (DoS) attacks emerged as the predominant threat vector, with nearly half (48.9%) of analyzed CVEs posing the potential for such attacks. In contrast, only 18.9% of CVEs exhibited the potential for remote code execution, a favorable finding due to the latter’s potentially more severe impact.
Furthermore, the report highlights the nuanced nature of CVE severity, with the JFrog security research team downgrading the severity of 85% of critical CVEs and 73% of high CVEs on average after analysis. This underscores the importance of comprehensive vulnerability assessments and mitigative strategies in safeguarding software integrity.
Moreover, the report underscores the increasing complexity of software development environments, with over half (53%) of organizations utilizing four to nine programming languages. Additionally, 31% of surveyed organizations reported using more than 10 programming languages, reflecting the diverse technological landscapes prevalent in modern software development.
JFrog’s Software Supply Chain State of the Union 2024 report provides a comprehensive overview of the prevailing trends and challenges shaping the software supply chain landscape. The widespread adoption of AI and ML-powered security tools underscores the industry’s commitment to enhancing cybersecurity measures. However, the cautious approach towards AI-generated code highlights the ongoing dialogue surrounding the intersection of innovation and security.
As organizations navigate the evolving threat landscape and embrace diverse programming languages, proactive security practices and robust vulnerability management frameworks remain paramount. By addressing these challenges holistically, organizations can fortify their software supply chains and mitigate risks effectively in an increasingly digitized world.
