Mind the Gap: The Disconnect Between Execs & Developers

Note: This blog post was previously published on Hackeroon

We surveyed 1,200+ technology professionals from around the globe, including 300+ VP and C-level executives, on their AI/ML usage and software supply chain security efforts. Upon analysis, a surprising gap emerged between what executives believe is happening and what developers and engineers report is happening.

Here’s what we found out:

• 88% of executives VS. only 60% of developers say AI/ML tools are integrated in their security scanning and remediation processes.
• 90% of executives VS. only 63% of developers say their organization uses ML models in our software applications.
• 92% of executives VS. only 70% of developers say they have solutions for detecting malicious open-source packages.
• 66% of executives VS. only 41% of developers say they apply security scans at the code and binary levels.

Download the report or keep reading here to learn more.

Are AI/ML tools being integrated into your security scanning and remediation processes?

When it comes to AI/ML usage, 88% of executives believe this new technology is being integrated into their security scanning and vulnerability remediation processes, but only 60% of developers report that being the case.

The study also highlighted regional variations.

APAC region emerges as the global leader, with 99% of executives believing that their organization integrates AI/ML into their security processes. The United States follows closely behind at 91%, advancing more quickly in integrating ML models into software applications than EMEA (82%), which could reflect competitive pressures in the U.S. and/or a more risk-averse climate in Europe caused by strict regulations.

Do you use ML Models in software applications?

Organizations need to prioritize their focus on ML models and AI components, ensuring that there is alignment between executives and developers regarding these tasks. Over 90% of executives reported that their organizations incorporate ML models into their software applications, yet only 63% of developers concurred with this statement.

Do you have solutions for detecting malicious open-source packages?

While 92% of executives were confident that their organizations had the necessary tools to identify malicious open-source packages, only 70% of developers shared this belief. This discrepancy indicates a variation in the understanding of open-source security challenges between the two groups. Executives appeared to underestimate the time that security teams dedicated to fixing vulnerabilities and obtaining approvals for new packages or libraries.

Additionally, executives assumed that a greater proportion of code reviews were automated than developers perceived.

Do you apply security scans at the code and binary levels?

While two-thirds of the executives believed that their organizations conducted security scans at the code or binary level, only 41% of developers concurred. The executives also indicated a higher number of application security solutions being used within their organizations compared to the reports from developers, which may suggest that these tools are underutilized.

Bridge the gap

As malicious actors intensify their focus on SSCs, organizations are under increasing pressure to strengthen their defenses. The continuous growth of the open-source ecosystem, along with the fast-paced evolution of security tools, compels executives to seek more effective methods to safeguard their software development processes.

To find out how you can identify the gaps in your software supply chain security and AI/ML usage, download the report.