Report Reveals Disconnect Between Developers and CISOs on Software Supply Chain Security Priorities

A recent report by Chainguard highlights the importance of software supply chain security for both developers and Chief Information Security Officers (CISOs). The survey reveals that 70% of developers and 52% of CISOs consider software supply chain security a top priority in their roles, according to an article by Help Net Security.

However, the report points out a significant disconnect and distrust between CISOs and developers regarding various aspects of security. While 72% of software developers claim to be very security-conscious, only 50% of CISOs rate developers the same way. Additionally, there’s a lack of understanding between the two groups regarding tools and responsibilities related to security issues.

The study emphasizes the challenge of finding alignment between developers and security leaders in the rapidly evolving landscape. The tension arises from the need to balance developer velocity and the advantages of open-source technology with addressing vulnerabilities in software supply chains.

A notable finding is that 92% of developers view software supply chain security as at least very important to their daily work, with 39% considering it absolutely essential. CISOs also recognize the critical role of effective software security practices, with 93% noting its importance in organizational maturity and threat mitigation.

Communication gaps and collaboration issues between developers and security teams are identified as significant problems by 69% of CISOs and 64% of developers. Despite this, both groups agree on the essential business outcomes of effective software security practices, including customer retention, meeting procurement obligations, reducing breaches, and improving developer productivity.

The report highlights the tension between the desire for fast development and the necessity of robust security measures. The industry is grappling with the challenges posed by constant software changes, an explosion of open-source components, and new classes of exploits.

Despite the existing gaps, the survey reveals that organizations are preparing for the future of software supply chain security. Many have already adopted tools such as Software Bill of Materials (SBOMs) and frameworks like Supply-chain Levels for Software Artifacts (SLSA) and the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF).

Both developers and CISOs anticipate an increase in the prioritization of software supply chain security in the next five years, with changes expected in tooling and frameworks to address evolving threats.