DEVOPSdigest

Developers often embody the roles of artists, architects, and inventors. Through their expertise, companies have transformed from emerging startups into industry-leading unicorns. But while developers may have an eye for innovation, they are not, nor should they be, security experts or open-source specialists — despite expectations from security teams.

This disconnect has led to an environment where confidence in delivering zero-vulnerability software far outpaces actual preparedness. A new survey from Lineaje revealed that nearly a third of security professionals (32%) believe they can deliver zero-vulnerability software despite the myriad threats and increasing compliance regulations. While 68% are more realistic, the initial number highlights some critical blind spots in organizations' software supply chain defenses.

Here are the other top findings from the research:

Mounting SBOM Regulations Met with Incomplete Implementation

The overwhelming majority (90%) of today's software architectures are made up of open-source code. Unfortunately, 95% of all software weaknesses are directly attributable to open-source. The survey found that 34% of security professionals have reported difficulty in identifying and tracking open-source dependencies. The result is an increase in software supply chain attacks like the recent easyjson open-source vulnerability.

In an effort to curb these breaches, there has been an increase in software bill of materials (SBOM) regulations, including the US Office of Management and Budget (OMB) Memo M-22-18, Executive Order 14028, and the EU Cyber Resilience Act. However, the research found that 48% of security professionals are falling behind the legislation, and 47% have not started SBOM integration or are still in the evaluating tools and practices stage.

Security Teams Leaving "Small" Vulnerabilities Unaddressed

According to the survey, 38% of security professionals are trying to stay ahead of threat actors by prioritizing the most vulnerable areas of applications. At first, this seems positive. However, it leaves the supposedly less vulnerable areas in the software supply chain open to attack. With AI advancements, all vulnerabilities have the potential to cause catastrophic damage. Without full visibility into all software supply chain dependencies, organizations are likely underestimating risk.

Nearly a third (29%) of teams are still lacking the tools and processes needed to analyze SBOMs for vulnerabilities. Organizations face delayed threat times, widening the window of opportunity for attackers to exploit them, without the ability to correlate SBOM data with known weaknesses.

AI Remediation is Rising, But So Are AI-Driven Threats

Almost all (88%) of security professionals surveyed believed AI has the potential to significantly enhance software supply chain visibility. Over the past few years, there's been an uptick in organizations' desire to use AI for auto-remediation of code. While the readiness to adopt AI to secure code is a good thing, it's only half of the AI equation.

AI also introduces considerable risks. When asked what the most pressing issues are with AI, respondents said data security and privacy risks (35%) and AI code generation and vibe coding risks (26%). With AI code generation and vibe coding significantly increasing the software supply chain attack surface, this makes a lot of sense. While AI-powered auto-remediation is a great tool in combating this increased risk, it is limited to vulnerabilities for which fixes are available. 70% of respondents admitted that when a fix isn't available, they either don't have or are not sure if there is a remediation plan in place.

Developers can't carry the burden of security by default, and AI, while promising, is no silver bullet. The survey proves the necessity for organizations to bridge the gap between ambition and execution by investing in full-lifecycle visibility technologies, enforcing SBOM best practices, and preparing for the risks that are coming with AI. Without this balanced approach, the aspirations for zero-vulnerability software will remain more fiction than reality.