Emerging Software Security Risks: How Are Tech Leaders Preparing for 2024?
Software security vulnerabilities can arise from a variety of sources — especially those related to emerging tech. Read on to find out which potential risks are most concerning to tech leaders.
One minute insights:
- Around half of leaders experienced software-related security issues during the past six months
- The most common sources of security issues were open source software, purchased software and legacy code
- Open source code is viewed by many as a potential risk source, and organizations use vulnerability assessments (VAs) to gauge their risk exposure
- Many plan to increase the resources allocated to protecting against software security risks
- Tech leaders feel informed about emerging risks and are confident they can protect against them
Around half of leaders experienced software-related security issues recently, often due to open source code
Among respondents whose organizations experienced a recent software-related security issue (n = 65), open source code (42%), code in purchased tools (40%) and legacy code (38%) were common sources.
Only 12% identified AI-generated code as the source of their recent security issue.
Nearly all (91%) of those respondent organizations (n = 65) have taken steps to improve their software security practices as a result of their recent experience. 8% plan to improve their security posture, but haven’t yet done so.
Question: In your view, what is the most important thing to remember about protecting against future software security risks?
Most issues happen due to internal hygiene. If we can emphasize more on that, we are mostly covered.
Always predict for variability in open source packages that have a massive adoption, like the JavaScript packages that have gone rogue recently.
For many, open source code is a potential risk source; organizations use VAs to gauge their risk exposure
Many respondents (n = 125) anticipate that open source code (54%) or legacy code (43%) will present the most significant software security risks to their organization in the next six months.
Other anticipated risk sources include AI-generated code (39%) and code included in purchased tools/solutions (38%).
70% of respondent organizations use VAs to gauge software security risk. Static code analysis (60%) and monitoring and observability (54%) are also common practices.
In the next six months, 66% of respondent organizations plan to increase the level of investment allocated to assessing software security risk. 23% plan to keep their investment level the same.
Question: In your view, what is the most important thing to remember about protecting against future software security risks?
Never assume you are done with security. It is a continuous activity.
Don’t trust code; verify it to the best of your abilities. Tools exist to help this, but you [must] always be thinking about security, not just of software, but of deployment chains and deployment stacks.
Tech leaders feel informed about emerging software security risks and are confident they can protect against them
92% of respondents feel confident in their organization's ability to protect against software security risks in the next six months.
Question: In your view, what is the most important thing to remember about protecting against future software security risks?
The future landscape of software security risk is still unpredictable due to [the] acceleration of AI tools on both sides of the equation.
Software security vulnerabilities are increasing due to exposure to third party libraries used.
Want more insights like this from leaders like yourself?
Click here to explore the revamped, retooled and reimagined Gartner Peer Community. You'll get access to synthesized insights and engaging discussions from a community of your peers.