The Ongoing Struggle: Enterprise Software Supply Chain Security

Log4j, maybe more than any other recent security issue in recent years, thrust software supply chain security into the limelight, with even the White House weighing in. Some of those may be in libraries that aren’t even used when the container is in production, but they are vulnerabilities nevertheless. According to‘s latest Container Report, the average organization now deploys well over 50 containers from their vendors every month (and almost 10% deploy more than 250). Yet only 12% of the security leaders who responded to’s survey said they were able to achieve their own vulnerability remediation goals. Most companies see some disruptions multiple times a week because they detect a vulnerability in a production container, for example.

Log4j, perhaps more than any other recent security issue, has brought software supply chain security to the forefront of attention. The topic has even garnered the attention of the White House. Despite the widespread awareness of the critical importance of establishing a trustworthy and secure software supply chain, many technology executives still struggle with how to effectively implement a strategy around it.

The number of CVEs (Common Vulnerabilities and Exposures) continues to rise steadily, and it is rare to find a container that is free of all vulnerabilities. Some of these vulnerabilities may even exist in libraries that are not used during production, but nonetheless pose a risk.

In their latest Container Report, reveals that the average organization deploys over 50 containers from various vendors each month, with almost 10% deploying more than 250. However, only 12% of the surveyed security leaders reported that they were successfully achieving their vulnerability remediation goals. The remaining responses ranged from struggling greatly to seeing significant room for improvement. Additionally, there is often disagreement between vendors and buyers over which CVEs in a container actually require patching.

As Ayse Kaya,’s VP for Strategic Insights and Analytics, explained, the communication between buyers and vendors typically involves exchanging spreadsheets and having ad hoc meetings between security groups. According to’s report, which was created in collaboration with research firm Enterprise Strategy Group, 75% of organizations still use this method to exchange information with vendors, despite 84% of security leaders indicating a desire for a centralized collaboration platform for managing vulnerabilities. For now, it seems that emailing spreadsheets back and forth remains the norm.

All of this ultimately leads to inefficiencies. The majority of organizations surveyed reported having six or more specialists dedicated to vulnerability remediation, with a quarter of respondents employing over 10. One of the major issues in the industry is the high percentage (over 40%) of false positive alerts received by these teams, often for libraries that are part of a container but not actually used in production. To combat this, Kaya strongly promotes the practice of creating minimal container images. In fact, this could be viewed as a best practice, as it reduces the attack surface and decreases the number of false positives.

However, it’s not just security teams that are impacted by these vulnerabilities. The efforts to address them also slow down the overall development process. Most companies report experiencing disruptions multiple times a week due to the detection of a vulnerability in a production container. According to’s report, the average container is now affected by 311 CVEs (up from 282 in 2022) and sees a new release approximately every 11 days. This means more work, more interruptions, and more coordination with vendors to address and resolve these issues.

Avatar photo
Dylan Williams

Dylan Williams is a multimedia storyteller with a background in video production and graphic design. He has a knack for finding and sharing unique and visually striking stories from around the world.

Articles: 834

Leave a Reply

Your email address will not be published. Required fields are marked *