Enterprise Strategy Group Research Reveals 91 Percent of Organizations Have Experienced a Software Supply Chain Incident in Past 12 Months

According to the ESG Study, 88% of Organizations Set Priority to Critical or Important for Accurate Inventory of APIs and Cloud Services for Software Supply Chain Security

PALO ALTO, Calif.

Data Theorem, Inc., a leading provider of modern application security, today announced the “The Growing Complexity of Securing the Software Supply Chain”1 report in partnership with Enterprise Strategy Group (ESG). The study found that the overwhelming majority of organizations (91%) have experienced a software supply chain incident in the past 12 months.

The most common security incidents over this period were:

  • Exploit (41%): zero-day exploit on vulnerabilities within third-party code
  • Exploit (40%): misconfigured cloud service exploits
  • Exploit (40%): vulnerability exploits in open-source software and container images
  • Secrets (37%): secrets/token/passwords stolen from source code repositories
  • Data Breach (35%): API data breaches in third-party software and code

To gather data for this report, ESG surveyed more than 350 respondents from private- and public-sector organizations in North America (US and Canada) across cybersecurity professionals (~39%), application developers (~32%), and IT professionals (29%) responsible for evaluating, purchasing, and utilizing developer-focused security products. 

In a related finding, study results also revealed that 88% of organizations feel it’s critical or important to have accurate inventory of their third-party APIs and cloud services as it relates to software supply chain security. This is followed by 86% of organizations stating it’s critical or important to know the composition/inventory of application code in use (e.g., OSS, third-party or custom), where code is stored, and who has access to code components connected to their code. 

“Because of the massive number of suppliers and partners, continuous discovery of components across the software supply chain is a major challenge; in fact from our survey the overwhelming majority (88%) of organizations state the importance and criticality of having an accurate inventory of their third-party APIs and cloud services,” said Melinda Marks, Practice Director, Cybersecurity, for Enterprise Strategy Group. “While it’s understood SBOMs are important to software supply chain security, most organizations are challenged with creating and maintaining current SBOMs. Organizations need continuous runtime scanning, discovery and inspection of open-source components, third-party libraries, and APIs in source code to best secure their applications.”

When asked about the top priority investments in software supply chain security over the next 12 to 18 months, the majority (44%) see scanning open source code components and third-party libraries for vulnerabilities as the top priority, followed by discovering and inspecting APIs in source code (39%), and creating an SBOM via composition analysis (38%); while more than a third of organizations see investing in applying runtime API security controls as a top priority.

"The emergence of cloud-native applications and a growing reliance on third-party APIs and cloud services have fundamentally altered the software supply chain security challenge by introducing new attack surfaces that have already been exploited and are poised to remain in the crosshairs of hackers and cyber-criminal activity,” said Doug Dooley, Data Theorem COO. “Failure to adapt to these supply chain security problems not only puts sensitive data and applications at risk but also threatens to erode the trust and integrity enterprise customers have built their business on. This current ESG report highlights some of the important lessons we must learn and improve upon going forward in 2024 and beyond.”

For a free copy of the ESG “The Growing Complexity of Securing the Software Supply Chain” report, see https://www.datatheorem.com/resources/reports/securing-the-software-supply-chain-by-enterprise-strategy-group-esg.

Data Theorem’s broad AppSec portfolio protects organizations from data breaches with application security testing and protection for modern web frameworks, API-driven microservices and cloud resources. Its solutions are powered by its award-winning Analyzer Engine which leverages a new type of dynamic and runtime analysis that is fully integrated into the CI/CD process, and enables organizations to conduct continuous, automated security inspection and remediation. Data Theorem is one of the first vendors to provide a full stack application security analyzer that connects attack surfaces of applications starting at the client layers found in mobile and web, the network layers found in APIs, and the infrastructure layers found in cloud services. 

Note 1 – Source: Enterprise Strategy Group, a division of TechTarget Inc. Research eBook, The Growing Complexity of Securing the Software Supply Chain, February 2024.

About Enterprise Strategy Group

TechTarget’s Enterprise Strategy Group is an integrated technology analysis, research, and strategy firm providing market intelligence, actionable insight, and go-to-market content services to the global technology community.

Media Contact

Dan Spaldingdan@datatheorem.com(408) 960-9297

About Data Theorem

Data Theorem is a leading provider of modern application security, helping customers prevent AppSec data breaches. Its products focus on API security, cloud (serverless apps, CSPM, CWPP, CNAPP), mobile apps (iOS and Android), and web apps (single-page apps). Its core mission is to analyze and secure any modern application anytime, anywhere. The award-winning Data Theorem Analyzer Engine continuously analyzes APIs, Web, Mobile, and Cloud applications in search of security flaws and data privacy gaps. The company has detected more than 5 billion application incidents and currently secures more than 25,000 modern applications for its enterprise customers around the world.