The number of security challenges companies are facing continue to grow, but organizations are beginning to display signs of “AppSec exhaustion,†or decreased engagement in security practices.Â
This is according to Snyk’s new State of Open Source report, which found that dependency tracking and code ship frequency has remained largely unchanged since last year. There was only a slight increase in the percentage of teams tracking all dependencies and a slight decrease in the number of teams only tracking direct dependencies.Â
The majority of companies who don’t track dependencies at all do run software composition analysis, which Snyk believes indicates that their tracking isn’t systematic but they do check dependencies and open source components for vulnerabilities.Â
There was also a stagnation in code ship frequency, which Snyk says is an indication that DevOps maturity has reached a plateau, as improved tooling and developer experience should facilitate faster code iteration.Â
Other signs of AppSec exhaustion are that none of the eight AppSec methods Snyk included in their survey were used by more than 70% of respondents. Software composition analysis is most popular, but is only used by 69% of respondents.Â
Additionally, there was a decline in the percentage of organizations implementing new tooling to address supply chain vulnerabilities, dropping from 60% in 2023 to 49% in 2024. There was also a decrease in the number of organizations investing in training on supply chain security, from 53% in 2023 to 35% in 2024.Â
“These reductions suggest that organizations may be feeling overwhelmed or fatigued by the continuous pressure of supply chain security demands, leading to reduced commitment to preventive actions. This may indicate fatigue, relatively stable percentage of organizations unaffected by supply chain vulnerabilities further supports this potential fatigue, as some may opt to disengage rather than continually invest in complex and evolving security requirements,†Snyk wrote in the report.Â
Other interesting findings are that:
- 52% of organizations failed to meet vulnerability mitigation SLAs
- 45% has to replace vulnerable build components
- Fewer than 25% of organizations regularly audit their software supply chain
For the report, Snyk surveyed 453 development and security professionals from industries such as automotive, business services, communications, education, energy & utilities, entertainment/media, financial services, government, and SaaS technology.
The post New report finds signs of slowing supply chain security momentum, plateaued DevOps maturity appeared first on SD Times.
Source: Read MoreÂ