Synopsys report finds over half of surveyed orgs suffered supply chain attack in 2023

SUNNYVALE, Calif. — The majority of global organizations (54%) suffered a software supply chain attack over the past year, and most are unable to keep up with the growing risk landscape according to a report just released by Synopsys.“The State of Software Supply Chain Security Risk” report, released on 5/16/2024 by Synopsys and the Ponemon Institute also found that 50% of organizations took more than a month to respond to an attack. One in five say that their organization is not effective in its ability to detect and respond to these attacks. The data shows that artificial intelligence (AI) is becoming ubiquitous across the software development life cycle. The majority of security professionals (52%) say their development teams leverage AI tools to generate code, specifically, OpenAI Codex (50%), ChatGPT (45%) and GitHub Copilot (43%).“While the use of AI creates efficiencies by automating decision-making, findings indicate that concerningly few protections are put in place,” Synopsys said. “Only a third (32%) of organizations have processes to evaluate AI-generated code for license, security, and quality risks.” Among other concerns from organizations surveyed was a lack of commitment from decision-makers when mitigating these issues. Only 39% say their organization’s leaders are highly committed to reducing the risk of malware in software supply chains. Even though 45% of security professionals say supply chain compromises such as SolarWinds have led to increased investment in software supply chain security, only 38% say resources dedicated to securing the supply chain are sufficient or very sufficient.“Supply chain attacks are becoming more prevalent across organizations globally, yet this report highlights the sustained weaknesses in existing software development processes and security standards,” said Jason Schmitt, general manager, Synopsys Software Integrity Group. “Attackers are getting more sophisticated and thus finding more weaknesses that allow them to explore a supply chain where they can steal sensitive data, plant malware, and control systems. Particularly with the rise of AI-generated code, security teams need to maintain visibility into applications, and continuously evaluate IP, security threats, and code quality to reduce risk.” Additional key findings include organizations forgoing SBOM implementation, and open source vulnerabilities remaining a huge risk,Readers can download a copy of “The State of Software Supply Chain Security Risks” report here.