Safeguarding the SLDC in 2024
March 26, 2024

Security is taking a toll on productivity, according to the Software Supply Chain State of the Union report from JFrog.

48% of survey respondents said it typically takes a week or longer to get approval to use a new package/library, extending time to market for new apps and software updates.

Additionally, approximately 25% of security teams' time is spent remediating vulnerabilities, even when those vulnerabilities may be overrated or even non-exploitable given their current context.


Source: JFrog

More key findings of the report include:

Not all CVEs are what they seem

Traditional CVSS ratings look purely at the severity of the exploit as opposed to the likelihood it will be exploited, which requires context to make an effective assessment. The JFrog Security Research team downgraded the severity of 85% of Critical CVEs and 73% of High CVEs on average after analyzing 212 different high-profile CVEs discovered in 2023. Additionally, JFrog found that 74% of the reported common CVEs with High and Critical CVSS scores on the top 100 Docker Hub community images weren't exploitable.

Denial of Service (DoS) attacks reign

Of the 212 high-profile CVEs analyzed for the report, 37.4% of them held the potential for a DoS attack vs. 19% with the potential to perform Remote Code Execution (RCE). This is good news for security organizations in the sense that RCE has a far more detrimental impact vs. DoS attacks due to their ability to offer full access to backend systems.

Applying security checks is inconsistent across SLDC

The industry seems to be split pretty evenly down the middle when it comes to deciding where to apply application security testing across the software development lifecycle (SDLC), underscoring the importance of shifting left and right simultaneously.

42% of developers claim it's best to perform security scans during code writing while 41% say it's best to perform scans on new software packages before bringing them into your organization from an Open-Source Software (OSS) repository.

Security tool sprawl continues

Nearly half of IT professionals (47%) say they use between four and nine application security solutions. However, a third of survey respondents and security professionals (33%) say they're using 10 or more application security solutions. This supports a market-wide trend of needing security tooling consolidation with a movement away from point solutions.

Disproportionate use of AI/ML tools for security

While 90% of survey respondents indicate their organization currently uses AI/ML-powered tools in some capacity to assist in security scanning and remediation efforts, only one in three professionals (32%) claim their organization uses AI/ML-powered tools to write code, indicating the majority are still wary of the potential vulnerabilities Gen-AI developed code can introduce to enterprise software.

"Vulnerabilities are growing in number year over year, but that does not necessarily mean they are growing in severity. It's clear that IT teams are willing to invest in new tools to bolster their security, but knowing where to put those tools, use their team's time, and streamline processes is critical to keeping their SDLC secure," said Shachar Menashe, Sr. Director, JFrog Security Research.

Methodology: The Software Supply Chain State of the Union report combines JFrog Artifactory developer usage data amongst 7K+ organizations, original CVE analysis by the JFrog Security Research team, and commissioned third-party survey data of 1,200 technology professionals worldwide to provide context into the broad, rapidly evolving software supply chain landscape.

Share this

Industry News

November 21, 2024

Red Hat announced the general availability of Red Hat Enterprise Linux 9.5, the latest version of the enterprise Linux platform.

November 21, 2024

Securiti announced a new solution - Security for AI Copilots in SaaS apps.

November 20, 2024

Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.

November 20, 2024

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:

November 20, 2024

Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.

November 20, 2024

Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.

November 19, 2024

OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.

November 19, 2024

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.

November 19, 2024

Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.

November 19, 2024

Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.

November 19, 2024

Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.

November 19, 2024

Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.

November 19, 2024

Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.

November 18, 2024

MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.