In the realm of software supply chain security, collaboration between developers and security leaders is crucial. Drawing from our 2023 CISO & Developer Trends in Software Supply Chain Security Report by Chainguard and Harris Poll, here are the top 10 insights developers hope their CISOs will take to heart:
1. Understanding of security tools:
Many developers feel that CISOs lack a thorough understanding of essential development tools, particularly container images, which are critical in today’s tech landscape. Only 43% of developers believe CISOs are very familiar with the security risks of these tools.
2. Productivity concerns
A substantial 74% of developers report that current security tools hinder their productivity. Developers urge CISOs to consider the impact of security measures on development velocity and seek tools that balance security with efficiency.
3. Communication gaps
Both developers and CISOs agree inadequate communication is a significant barrier to effective security practices. Nearly three-quarters of both groups cite this as a problem in implementing better software supply chain security across their organizations.
4. Security as a shared responsibility
Developers are keenly aware of their role in security; 68% see themselves as primarily responsible for the prevention, mitigation, and/or remediation of supply chain security attacks or compromises.
5. Perceived security expertise
There is a disconnect in how security expertise is perceived. While 72% of developers consider themselves very security-conscious, fewer than half of CISOs believe that developers understand the security risks associated with their tools.
6. Importance of software supply chain security
The importance of securing our software supply chain is recognized on all sides, with 92% of developers stating software supply chain security is crucial to their day-to-day work. At the same time, 93% of CISOs acknowledge that effective software supply chain security practices demonstrate organizational maturity and safeguard against threats.
7. Alignment on priorities
Both developers and CISOs view software supply chain security as a priority, but there is often a misalignment on how it should be prioritized within the broader organizational context.
8. Tension from security prioritization
Prioritizing software supply chain security can lead to tensions, as 77% of CISOs and 68% of developers agree. Developers express security practices should not impede their work.
9. Opportunities for collaboration
Despite the challenges, there is a consensus that more effective collaboration could resolve many issues. The report suggests that finding alignment between developers and security leaders is a complex challenge, but crucial for maintaining the advantages of open source technology and developer velocity.
10. Looking ahead with optimism
Both developers and CISOs are optimistic about the future, believing the prioritization of software supply chain security will only increase, fostering a more secure technological environment.
As Kim Lewandowski, co-founder and Chief Product Officer at Chainguard, states:
Finding alignment between developers and security leaders on software supply chain security is a difficult challenge for even the most well-resourced and staffed organizations. The findings in the report reflect the tension in the security landscape as organizations are re-thinking how to maintain developer velocity and the advantages of open source technology while closing the gap on a new class of vulnerabilities that software supply chains have accrued.
