Malicious actors have been pressing their advantage against vulnerable software supply chains with exponentially increasing attacks. Enterprises have been hampered in fighting back by lack of internal consensus on their security capabilities and practices. Recent survey findings uncovered multiple areas of disconnect between senior executives/managers (“executives”) and hands-on staff (“doers”).
Executives tended to have a comparatively rosier picture of their organization’s security posture. Compared to the doers, executives believed they were implementing more security practices, using more solutions, and defending more effectively against open-source risk. Similarly, they underestimated the time their teams were spending on vulnerability remediation and software package approvals.
The executives and doers also had significantly different perceptions when it came to the incorporation of artificial intelligence (AI) and machine learning (ML) in software applications and for automated security scanning.
The research findings revealed region-specific concerns over SSC security as well.
North America
North America (NA)-based organizations tend to be quicker to adopt ML models than those based in Europe, the Middle East, and Africa (EMEA) or the Asia-Pacific (APAC). Also, organizations in the US appear to have a greater comfort level when it comes to using AI and ML tools for code creation.
These findings suggest that the AI race is more intense in North America, where Silicon Valley technology giants have been investing heavily in its development, than in the EMEA or APAC regions.
Europe, Middle East, and Africa
Based on the survey findings, it’s clear that EMEA organizations exercise more caution when it comes to SSC risk than in other parts of the world. They are less inclined to deploy software to Internet of Things (IoT) devices, for example. Also, there’s more resistance to integrating AI and ML in software—likely due to concerns over security and compliance.
Compared to North America and Asia, the regulatory environment is far more stringent in Europe, where organizations are sensitive to the requirements of the General Data Protection Regulation (GDPR), the Cybersecurity Act, and other key directives.
Yet despite their measured response to emerging software technologies, survey responses indicate that organizations in the EMEA region are aware of the potential of AI and ML tools and are open to considering ways to incorporate them in their SSCs.
Asia-Pacific
Among the notable distinctions of APAC-based organizations is their comparative eagerness to incorporate AI and ML for scanning and remediation. Based on the survey results, they also have a very high comfort level with the use of AI and ML tools for code creation.
That could be problematic. If unchecked, APAC organizations’ enthusiasm for these emerging technologies might expose them to greater SSC security risk.
Conclusion
Corporate leaders are eager to bridge the perception gaps and adopt a comprehensive, unified solution to shore up SSC security. Whether based in NA, EMEA, or APAC, executives are eager to establish a unified SSC security defense posture for their organizations. What’s needed is a comprehensive solution that embraces automation, employs AI and ML models, and prioritizes integration across the entire software development lifecycle.
