Only 36% of organisations report having full observability into their software supply chain through their artifact management solution, highlighting a persistent blind spot despite a spate of high-profile software supply chain attacks, including XZ Utils, Log4j and tj-actions/changed files incident.
The findings, from research conducted by Cloudsmith, accompany a growing movement towards greater observability, driven by regulatory pressure, including the EU Cyber Resilience Act and the Cybersecurity and Infrastructure Security Agency (CISA)’s updated 2024 guidelines.
Open-source software now constitutes approximately 90% of modern codebases, but insecure packages can introduce exploitable vulnerabilities. The research highlights that while 61% of surveyed software development professionals prioritize security features in their development workflows, nearly half (46%) still describe their software delivery pipelines as having no or partial automation, with process inefficiencies and little to no use of a centralized artifact repository.
Nigel Douglas, Developer Relations Lead at Cloudsmith said: “There’s a clear disconnect between security goals and real-world implementation. Since open-source code is the backbone of today’s software supply chains, any weakness in dependencies or artifacts can create widespread risk. To effectively reduce these risks, security measures need to be built into the core of artifact management processes, ensuring constant and proactive protection.”
The research reveals that with their current tool, organisations struggle to balance the demands of delivering software at speed while addressing security vulnerabilities. 56% of developers cited ‘Improved Security’ as a primary driver for adopting new artifact management tools.
One respondent noted: “A vendor solution was compromised, leading to significant downtime and operational losses.” Another added, “Security risks remain a critical challenge as we strive for faster deployments,” highlighting the everyday frustrations enterprises experience in trying to secure their software supply chain.
Alan Carson, Cloudsmith’s CSO and co-founder, added: “Without visibility, you can’t control your software supply chain. And without control, there’s no security. When we speak to enterprises, security is high up on their list of most urgent priorities. But security doesn’t have to come at the cost of speed. They may have dozens of developer teams all building different software for different purposes using different methods. DevOps leaders are crying out for a single plane to bring that together and simplify management, making security a default layer, rather than an extra obligation.”
