How many reports are needed to answer the important questions about the security of the software supply chain? This week we look at five recent studies, with a focus on CI/CD and open source. As always, the analysis goes beyond the press release-based reporting you may have read elsewhere. Below are a few takeaways from the complete article.
- Eighty-two percent of codebases have components that are more than four years out of date, according to due diligence audits of over a thousand commercial applications conducted by the Synopsys Cybersecurity Research Center. Licensing problems exist in almost three-quarters of codebases. The report would be more useful if it provided data about the average number of unmaintained components and quantified how often these issues result in a high-risk vulnerability that needs to be addressed immediately.
- 38% of DevOps implementations include a CI/CD platform according to GitLab’s “Mapping the DevSecOps Landscape: 2020 Survey Results”.
- Information security teams are more likely to utilize dependency scans at companies where DevOps led the selection of a scan tool, according to The New Stack’s “Security in the CI-CD Poll”.
