A global survey of 1,402 software development, cybersecurity, and IT operations professionals has revealed persistent gaps in software supply chain security, despite widespread tool deployment DevOps reports.
The research, commissioned by JFrog and conducted by Atomik Research, found that 71% of organizations still permit developers to download code packages directly from the internet, a practice that can introduce unverified components into production environments.
Less than half of the respondents (43%) report conducting security scans at both the source code and binary levels, and 40% admit to lacking full transparency regarding the origin of their deployed software.
Additionally, while nearly three-quarters of organizations have implemented seven or more security tools, many face operational challenges due to alert fatigue and false positives, potentially leading to underutilization of these tools.
In 2024 alone, more than 33,000 critical vulnerabilities were disclosed, yet JFrog’s analysis found only 12% were likely to be exploitable. The complexity of modern environments, with organizations using an average of 38 new packages monthly and multiple programming languages, compounds these risks.
As public repositories like Docker Hub and Hugging Face grow, securing exposed secrets and APIs becomes increasingly vital. In light of the findings, JFrog emphasized the importance of embedded security training within development teams to foster more proactive and effective cybersecurity strategies.
