The state of the software supply chain in 2023 continues to be "unacceptable," said Brian Fox, co-founder and CTO at Sonatype. Sounding alarm bells, Fox cited a Sonatype report that said organizations are using known vulnerable components in their applications 96% of the time and known Log4j vulnerabilities nearly 30% of the time.
Although the statistics are worrisome, some progress has been made within the open-source software ecosystem since the Log4j vulnerabilities were detected in 2021, Fox said. Regulations and policies by governments, including the national cybersecurity strategy in the United States and the European Union's Cyber Resiliency Act, have increased awareness and momentum - albeit slowly.
Read this eBook version of the interview with Information Security Media Group at RSA Conference as Fox also discusses:
- The state of the software supply chain;
- Gaps that need to be filled to arrive at the stage of mature software supply chain;
- SBOMs and how they are driving the conversation.