Latest News

Software supply chain security seen as the biggest risk by over a third of UK organisations

Aqua Security, the pioneer in cloud native security, has announced the results of a new study which reveals that, whilst UK firms are realising the benefits of cloud native security, the software supply chain has become a top security concern for them.

The survey was conducted at Cloud Expo Europe in March 2023 and gathered insights from 100+ cloud professionals who attended the event. Compared with a similar survey conducted at the same event in 2022, the results indicate an increase of 18.6% from the previous year to 36.9% of respondents believing supply chain security to be the biggest security risk to their business. Overall, there has been some improvement over the last 12 months in understanding cloud native security risks, but there is heightened confusion over new regulations, and significant fears in regards to supply chain security.

Key results included:
Almost half (47.1%) of respondents chose open-source vulnerabilities as their main software supply chain concern.
34% of organisations now have a Cloud Native Security strategy in place for 2023, compared to 21.2% in 2022.
Barriers to effective Cloud Native Security included lack of understanding (42.7%), limited or lack of budget (38.8%) and perceived difficulty of implementation (29.1%)

“High-profile supply chain attacks have likely drawn organisations’ attention to an issue that has slowly been festering over the last few years,” explained Rani Osnat, SVP of strategy at Aqua Security. “Hopefully, greater concern will lead to greater action, and organisations will implement true end-to-end security solutions to keep their software supply chain secure.”

New regulations causing concern

New compliance obligations in regards to supply chains security, such as Executive Order 14028 in the U.S., were a cause for concern for many respondents. But only 36.9% were confident in their ability to adopt new guidelines or frameworks. Furthermore, few organisations planned to implement supply chain security standards – only 22.3% were planning to adopt SBOM standards such as CycloneDX or SPDX, and only 10.7% were planning to implement NIS2 guidelines.

Signs of progress, but barriers still in place

Despite their concerns, the survey did indicate that progress has been made over the last year when it comes to Cloud Native Security. Thirty four percent of organisations now have a Cloud Native Security strategy in place for 2023, compared to just 21.2% in 2022. Furthermore, there was an increase in the number of organisations that indicated responsibility for Cloud Native Security sits with both IT Security and DevOps teams, up from 20.2% to 28.2%.

Understanding and awareness also appears to have increased, with 46.6% of respondents familiar with the term CNAPP (Cloud Native Application Protection Platform), the cloud native security category introduced by analyst firm Gartner, a 47% increase over the previous year. Furthermore, the number of respondents who cited a lack of understanding as a barrier to a successful Cloud Native Security Strategy decreased by 12.9% from last year, to 42.7%.

However, there are still some significant barriers to effective Cloud Native Security. Limited, or lack of budget was cited as an obstacle by nearly 38.8% of respondents, and 29.1% stated that they thought Cloud Native Security was complicated or hard to implement.

Osnat concluded: “It’s encouraging to see progress in the UK on Cloud Native Security awareness. With Gartner estimating that more than 95% of new apps will be deployed on cloud-native platforms by 2025, it’s vital that this becomes a key security priority. More must still be done to ensure that security and DevOps teams are armed with the knowledge and solutions needed to stop Cloud Native attacks across the application lifecycle.”