A global survey of 1,402 application developers, cybersecurity and IT operations professionals finds 71% work for organizations that, despite any potential vulnerabilities, still allow developers to download packages directly from the internet.
Conducted by Atomik Research on behalf of JFrog, the survey also finds less than half of respondents (43%) indicating their organization is scanning at the source code and binary level, with 40% admitting they lack full visibility into the provenance of software running in production environments.
Paul Davis, field CTO for JFrog, said that while a lot of progress has been made in terms of adopting best DevSecOps practices, the survey makes it clear that there is still much work to be done when it comes to securing software supply chains.
The challenge remains finding a way to augment existing software engineering workflows in a way that application development teams will trust and find easy to embrace, he added.
For example, the survey finds nearly three quarters of respondents (73%) work for organizations that have deployed seven or more security tools and platforms, with nearly half (49%) using 10 or more. However, it’s not clear how often these tools are actually turned on given the number of false positives that are generated.
In fact, the JFrog report notes that security researchers disclosed more than 33,000 critical vulnerabilities and exposes in 2024, but JFrog research found only 12% of the high-profile CVEs rated “critical” by government organizations justify the severity assigned based on how exploitable they really are. A deeper analysis of 183 notable CVEs found 63 to never be exploitable in the applications scanned.
At the same time, however, the overall threat to software supply chains continues to grow as more software packages are downloaded. The average organization adds 458 new packages a year, which, on average, equates to 38 a month.
More challenging still, two-thirds of organizations (64%) report using seven or more programming languages, with 44% using 10 or more. Public repositories, meanwhile, continue to grow, with Docker Hub adding 1.9M images in 2024 and Hugging Face adding a million. An analysis conducted by JFrog found 25,229 exposed secrets/tokens in public registries.
As more organizations also rely on public repositories such as Hugging face to invoke artificial intelligence (AI) models the need to secure application programming interfaces (APIs) will also soon become more pressing, noted Davis.
Ultimately, cybersecurity teams need to find a way to work more closely with developers, said Davis. Given the tsunami of alerts that turn out to be false positives, simply creating lists of vulnerabilities that application developers should scan for is not going to significantly improve the overall state of application security, he added. Instead, cybersecurity teams need to become directly involved by, for example, focusing on training a handful of application developers on how to recognize security issues that they will then, by example, permeate through the rest of the software engineering team, said Davis.
Each organization will, of course, need to determine how best to implement DevSecOps workflows but given how brittle many software engineering workflows already are today the challenge goes well beyond simply making some additional scanning tools available to an application developers that, almost by definition, are always going to have a limited amount of security expertise.
