1、 The State of Software Supply Chain Security Risks Sponsored by Black Duck Independently conducted by Ponemon Institute LLC Publication Date:May 2024 Ponemon Institute Research Report Ponemon Institute Research Report Page 1 The State of Software Supply Chain Security Risks Prepared by Ponemon Insti

2、tute May 2024 Part 1.Introduction The purpose of this research is to understand how prepared organizations are in reducing software security risks in the supply chain.Sponsored by Black Duck,Ponemon Institute surveyed 1,278 IT and IT security practitioners who are in organizations that are committed

3、 to achieving a secure software supply chain and have some level of responsibility for their organizations software supply chain security strategy.The regions and country in this research are North America(613 respondents),EMEA(362 respondents)and Japan(303 respondents).According to the National Ins

4、titute of Standards and Technology(NIST),a software supply chain attack can be as sophisticated as malware injection or as simple as an opportunistic exploitation of an unpatched vulnerability.The malicious code then ends up in an organizations system and may allow the hacker to gain access to sensi

5、tive data or compromise its code to gain access to customers.This may result in a ransomware attack or other malicious incidents.Typically,attackers find a weak link in the supply chain and use it to move up or across the supply chain to their real targets.Vulnerabilities are the root cause of attac

6、ks against many of the software supply chains in this research.Fifty-nine percent of organizations in this research have been impacted by a software supply chain attack or exploit and 54 percent of these respondents say the attacks happened in the past year.As shown in Figure 1,28 percent of respond