Gap between managers and developers on security

JFrog’s report uncovers several discrepancies between security leaders and development teams, including:

• Detecting malicious open source packages: 92 percent of executives say their companies have tools to detect malicious open source packages, while only 70 percent of developers agree with this statement.
• Integration of AI/ML tools: Over 90 percent of executives believe they use ML models in their software applications, while only 63 percent of developers confirm this.
• Use of AI/ML tools for security scanning: 88 percent of executives believe AI/ML tools are used for security scanning and remediation, but only 60 percent of DevSecOps teams say they actually use these tools.
• Regular code-level security scans: 67 percent of executives believe that code-level security scans are performed regularly, but only 41 percent of developers confirm this.

The study also examines regional differences in security techniques and software supply chain transparency, such as:

• Awareness of security solutions: 14 percent of respondents in the EMEA region were not aware of tools to identify malicious open source packages, compared to just 9 percent in the US and just 1 percent in Asia. There is therefore a significant discrepancy between security strategy and operational implementation in the EMEA region.
• Adoption of AI/ML models: Only 82 percent of respondents in the EMEA region said they already use AI/ML models, compared to 91 percent in the US and 99 percent in Asia.

The report’s findings underscore the need for greater collaboration between executives and developers to improve software supply chain security. It is important that organizations bridge the gap between perception and reality to ensure the security of their software supply chain.