Embracing Complexity in DevOps: Software Supply Chain State of the Union 2024

As we delve deeper into the era of software reliance, the 2024 JFrog Software Supply Chain report emerges as required reading for developers and DevOps professionals who are at the frontline of today’s technological innovations.

DevOps and development themes from the 2024 report

The report combines Artifactory data, analysis from the JFrog Security Research team, and survey responses from 1,200 Security, Development, and Ops professionals. Its goal is to understand the state of the software supply chain and what’s required to secure it given its increasing complexity.

Highlights from the report:

1. Increasing diversity in the tech stack: There is increasing diversity in the technology stacks used across industries. The research shows that 53% of organizations utilize between 4 to 9 programming languages, while 31% use more than 10. This variety not only adds complexity to the software supply chain but significantly increases the attack surface, making it critical for developers and DevOps teams to adopt the right tools and processes to effectively manage dependencies and apply security across a vast array of technologies. That said, the top technologies that organizations use haven’t changed much from year to year. Maven, PyPI, NPM, and Docker continue to be the most popular packaging technology ecosystems used.
2. Explosion of Open Source Components: While open source continues to dominate software development, it also poses significant security challenges. The research tracks an upsurge in CVEs, particularly in npm and PyPI. For developers, understanding which vulnerabilities are critical and which are not can significantly reduce wasted effort, allowing them to focus on innovation rather than remediation. More specifically, the report also explores what to look out for and how to continue to use open source software in a safe manner – even when there’s more malicious activity than ever.
3. Shifting security practices: A major takeaway from the report is the shift in how organizations approach security: from a disjointed afterthought to an integral part of the development process. With 89% of surveyed professionals stating their organizations have adopted a security framework, there’s a clear push towards more proactive security measures. For DevOps, this means integrating security early in the development lifecycle, a practice known as “shifting left,” which can greatly reduce vulnerabilities in production. Like it or not, the security challenge isn’t going away. In fact, 25% of developer time is currently spent on security remediation by the majority of organizations surveyed. But if you can approach development with security best practices in mind, you’ll be able to save time and be a driving force, rather than functioning reactively or “taking orders” from the security team.
4. The role of AI and ML: The influx of artificial intelligence (AI) and machine learning (ML) in development processes is transforming how we build software. The report provides insights into how organizations are leveraging AI to enhance security protocols and streamline development. For developers particularly, understanding these tools can be a game-changer in terms of reducing time on task and enhancing code quality. For instance, most teams today are using AI for security scanning, but not code creation, likely due to security concerns. But there are considerations and steps that organizations can take to expand their use of Gen AI tools, which enables them to scale coding responsibly.
5. Managing the software supply chain: At its center, the report sheds light on the expanding software supply chain and the associated risks. It’s no longer just about the code you write; it’s about the entire ecosystem from which your code derives and the pathways it takes to production and beyond. For DevOps teams, this means a significant responsibility to manage this supply chain effectively, ensuring compliance, security, and efficiency. The report provides information and resources for further learning in an effort to prepare organizations to succeed in a continuously evolving industry.

In sum

For DevOps and development teams, the 2024 JFrog Software Supply Chain report can be used as a roadmap to navigating the complexities of modern software development. It highlights critical challenges and offers insight into how enterprise organizations can leverage new technologies and practices to mitigate risks and also drive innovation. As we navigate an increasingly interconnected world, understanding and implementing the strategies outlined in this report will be key to securing and optimizing our software supply chains.