Software Supply Chain Security Risk Report Tooling Gap Leaves Organizations Exposed Chris Wilder, TAG Cyber Eighty eight percent of organizations recognize software supply chain security as an enterprise-wide risk, but 74% say traditional application security solutions are inadequate to fortify their software supply chains against the rising threat. Here’s why — and how to develop a mature supply chain security program.Contents Executive Summary 2 T raditional application security is falling short 3 Software supply chain complexity has created security issues 4 Software security is about maturity: Shift up your thinking 4 O rganizations are struggling to keep ahead of software development security issues 5 S upply chain security presents enterprise-wide risks 7 4 s teps to a mature software supply chain security approach 8 TAG Cyber's take 9Executive Summar y In April 2023, ReversingLabs partnered with Dimensional Research to survey 321 security and IT professionals on their software supply chains for its report, “Software Supply Chain Security Risk Survey.” This analysis presents key findings and actionable recommendations for security organizations i n four key areas: TRADITIONAL A PPLICATION SE CURITY S HORTCOMINGS Existing application security testing tools alone aren’t sufficient to handle evolving — and costly — software supply chain security threats . More adaptable measures are needed. SOFTWARE SUPPLY CHAIN COMPLEXITY AND SECURITY Security teams should take a comprehensive approach that includes continuous risk visibility, threat detection and remediation, and software integrity validation. SECURITY I N SOFTWARE D EVELOPMENT Security concerns for internally developed and open-source software require comprehensive measures from all contributors. ENTERPRISE/hyphen.capWIDE S ECURITY RI SKS Software supply chain security is a company-wide risk that requires an integrated response by application security and Security Operations teams at all stages of the software development l ifecycle. Organizations can enhance software supply chain security and fortify their overall cybersecurity posture by: Implementing continuous security practices. Validating third-party components.Strengthening threat intelligence capabilities. Fostering a security culture.Embracing automation that helps to prioritize what you're remediating. This report sheds light on software supply chain vulnerabilities and risks and provides insights as to how organizations can proactively address threats and protect critical assets. 23Traditional application security is falling short Traditional application security testing tools are only part of the software supply chain solution . They’re great as far as they go, but nearly three quarters of survey respondents said they were insufficient to protect against all software supply chain threats. Application security teams need more than traditional vulnerability management tools to address today's evolving threat landscape. To cope with the complexity of modern attacks, such as the SolarWinds , 3CX , and CircleCI incidents, these teams need a deep understanding of evolving attack vectors and supply chain risks. These incidents underscore the critical need to monitor software behavior across versions, enabling organizations to detect tampering, verify software integrity, and bolster the resilience of the software development life cycle (SDLC). Advanced detection techniques, rooted in extensive threat intelligence, are now mandatory. These provide the foundation for early identification of malicious components, offering a strategic advantage in an environment where time is of the essence. Application security teams should broaden their security outlook and integrate more advanced strategies. This represents a fundamental shift in how organizations are approaching software supply chain security.Percent of respondents who say their organizations use traditional SCA, SAST or DAST tools.Pe