A majority of respondents to a Coalfire study were concerned about software supply chain risks. ("Coding Javascript" by Christiaan Colen is licensed under CC BY-SA 2.0.)

Coalfire on Tuesday released a study that found supply chain risk has become mainstream, with 52% of respondents saying they are “very” or “extremely” concerned about software supply chain risks.

The study, based on a survey of 300 security pros by CyberRisk Alliance, also found that 50% of boards of directors at software-buying companies are raising concerns, which means that responsibility for software supply chain risk no longer resides solely with technical teams.

These findings also have implications for cloud security teams at organizations, said Dan Cornell, vice president of product strategy at Coalfire. Cornell said when companies look at software supply chain security concerns, cloud providers are a critical link in the chain.

“An organization’s first order exposure is via the cloud providers that manage the cloud servers and services they’re using to build and deploy their own software,” Cornell said. “What organizations also need to understand is that the infrastructure running portions of their supply chain — the open source component and container repositories — are also likely hosted on cloud providers and some of their tooling for builds are likely cloud/SaaS providers themselves.”

Tim Mackey, principal security strategist, at the Synopsys Cybersecurity Research Center, said while software supply chain risks are far more than just proper management of open source vulnerabilities, the software composition analysis (SCA) industry has been addressing open source vulnerability management problems for many years. Mackey said the industry now focuses more on software bills of materials (SBOM), but many have failed to notice that the use cases for SBOMs often align with what SCA solutions already provide.

“It then becomes interesting to find that 48% of respondents in the buyer category are prioritizing investment in SBOM design and implementation, when such functionality is a core capability of SCA solutions,” Mackey said. “While there are emerging requirements for software producers to create and provide SBOMs to their customers, the underlying workflow of open source patch management is a solved through workflows present in SCA solutions.”