Among sharp budget increases, a dramatic rise in executive-level awareness, and growing enterprise demand for more testing, training, and process improvements to better protect digital assets, the majority of C-level executives are taking action to address new threats and vulnerabilities across an expanding attack surface and are dedicated to managing software supply chain risk along the entire software development lifecycle (SDLC), a Coalfire report reveals. 

The Securealities Software Supply Chain Risk report, commissioned by Coalfire and conducted by CyberRisk Alliance, surveyed 300 respondents from both software buying and software producing companies with the goal of capturing the impact of highly public cyber events, President Biden’s Executive Order (EO) on cybersecurity, and procurement delays, and to discover what actions companies are taking to address these mission-critical challenges.

Overall, the report highlights the gravity of software supply chain risk and provides best practices for software buyers and sellers to effectively mitigate threats.

Key findings include:

  • Software supply chain risk is now mainstream. More than half (52%) of respondents are “very” or “extremely” concerned about software supply chain risks.
  • More than 50% of boards of directors with software-buying companies are raising concerns, which means that responsibility for software supply chain risk is no longer confined to technical teams.
  • Organizations aren’t standing on the sidelines they are taking decisive action to combat supply chain vulnerability:
    • Among software buyers, nearly 60% have increased testing on third-party applications, and 50% are purchasing new systems or new tooling.
    • Two-thirds have implemented additional staff training budgets to help manage the deluge of application vulnerabilities. 
  • Given the Software Bill of Materials (SBOM) requirements within the President’s EO, 54% of organizations are re-focusing on the SDLC.
  • Corporate leaders are planning to invest heavily in software supply chain risk management, with over one-third likely to allocate at least 10% of their application security budget to supply chain-specific processes.

The security of the software supply chain is a contributing factor in the security of a cloud environment as well. “If you want to secure your cloud environment built using code, you must also secure your software supply chain,” says Sounil Yu, Chief Information Security Officer at JupiterOne. “The challenge with this paradigm shift is that each part (the cloud infrastructure, the software supply chain) and particularly the combination of the two may be unfamiliar territory for traditional security teams, both in the technologies used and the processes that need to be adjusted. This adds to the difficulty of addressing the new threats and vulnerabilities that are prevalent in this new environment.”

Looking at this through the lens of cloud service providers, we need to look at the use case for SBOM information, says Tim Mackey, Principal Security Strategist at the Mountain View-based Synopsys Cybersecurity Research Center. “SBOMs are most useful as part of an overall risk mitigation strategy. This then implies that there are processes in place to measure risk conveyed through an SBOM and then some process to mitigate the identified risk. Since the adoption of cloud services is itself an exercise in transferring operational risk from an internal IT department to that of a cloud provider, the value from an SBOM for the cloud provider’s software is most important to the ITOps teams within the cloud provider. Obviously, some clients will want to know the SBOM for the cloud provider, but requests for information like that contained in an SBOM should first and foremost be associated with a risk strategy,” Mackey explains. “Put another way, if you were to learn via an SBOM that there is a vulnerable, open source component within a cloud provider’s infrastructure, what would your teams do with that information, given they’re unlikely to know what mitigations might be in place?” 

For the full report, visit