While 95% of surveyed organizations reported using AI tools in software development, only 24% have adopted comprehensive strategies to secure AI-generated code
Black Duck, the leader in AI-powered application security, announced the release of a new report, “Navigating Software Supply Chain Risk in a Rapid-Release World.” The findings uncover a discrepancy between AI adoption and unprotected code, resulting in organizations having a widening risk gap.
The study, conducted by UserEvidence, is based on a survey of 540 software security leaders and practitioners. The report highlights a critical disconnect: while 95% of organizations are leveraging AI tools for software development, a mere 24% are implementing comprehensive intellectual property, license, security, and quality evaluations for AI-generated code. This oversight exposes the software supply chain to potentially severe and unaddressed risks.
Also Read: CIO Influence Interview with Duncan Greatwood, CEO at Xage Security
Key Findings from the Report Include:
- AI Adoption Outpaces Security: Most organizations are embracing AI in development, yet robust security protocols for AI-generated code are largely absent, creating new attack vectors. Although 76% of respondents check AI code for security risks, only 24% perform IP, license, security, and quality evaluations for AI-generated code.
- Dependency Management is Key to Preparedness: Organizations highly effective at tracking and managing open source dependencies are significantly more prepared (85%) to secure open source software compared to the overall average (57%).
- Automation Drives Faster Remediation: Of the respondents that perform automatic continuous monitoring, 60% report remediating critical software vulnerabilities within a day. In contrast, only 45% of the full respondent pool say they remediate critical software vulnerabilities within a day showing that organizations that haven’t implemented automatic continuous monitoring are at a clear disadvantage for protecting the software supply chain.
- SBOM Validation Enhances Third-Party Security: Validating Software Bills of Materials (SBOMs) from external suppliers dramatically improves an organization’s ability to evaluate third-party software and respond to critical vulnerabilities. Of the respondents that prioritize SBOM validation, 63% of those that always validate SBOMs say they’re highly prepared to evaluate third-party software; and 59% typically respond to critical software vulnerabilities within one day.
- Compliance Controls Boost Efficiency: Organizations with more compliance controls in place demonstrate greater efficiency in remediating critical software vulnerabilities. Of the respondents that use at least three compliance controls, 49% remediate critical vulnerabilities within a day. This percentage jumps to 54% for the respondents that use at least four compliance controls. Additionally, 35% of respondents cite interpreting and operationalizing complex regulatory requirements as their biggest challenge.
“We’re in a new era of rapid software innovation, fueled by AI, but these findings reveal a critical challenge: security isn’t keeping pace,” said Jason Schmitt, CEO at Black Duck. “It’s imperative that organizations prioritize robust security frameworks, with a sharp focus on AI-generated code and meticulous dependency management, to build truly resilient software supply chains.”
The report emphasizes that a resilient software supply chain extends beyond mere compliance, enabling organizations to proactively address vulnerabilities, minimize downtime, prevent data breaches, and ultimately improve developer productivity and increase development velocity.
Catch more CIO Insights: Why Today’s Web Agent Benchmarks Don’t Reflect Real-World Reliability
[To share your insights with us, please write to psen@itechseries.com ]
