Someone with an athletic background might assume they can run a marathon without training, relying on their natural ability to carry them through the miles ahead. However, halfway through they will likely hit a wall due to inadequate conditioning and risk injury. A lucky few might be able to complete the race, but “luck” shouldn’t be a strategy.
The same dynamics play out in software supply chain security, where insufficient preparation is often masked by overconfidence. Lineaje recently conducted a survey at RSA Conference 2025 that exposes the gap between confidence and actual readiness against today’s top threats.
The research revealed that 32% of security professionals think they can deliver zero-vulnerability software despite rising cyberattacks and compliance regulations. While 68% are more realistic, noting they feel uncertain about achieving this near-impossible outcome, it’s clear there are blind spots in organizations’ software supply chain defenses.
Here are some of the other key findings:
SBOM Compliance Stalls Even as Mandates Increase
In the past several years, global software bill of materials (SBOM) guidelines like U.S. Office of Management and Budget (OMB) Memo M-22-18, Executive Order 14028, and the EU Cyber Resilience Act have focused organizations to address software supply chain governance concerns. Yet, some organizations are lagging in their level of adoption. The Lineaje survey found that almost half (48%) of security professionals are behind on complying to SBOM regulations. The lack of adherence exposes organizations to significant fines, potential data breaches, and hurts customer prospects. Only a little more than half (53%) have even started SBOM integration or are presently evaluating solutions or practices, despite financial and legal penalties for not following.
The reason for the lack of compliance? Organizations do not have enough visibility into what’s lurking in their codebases, especially given that over 90% of applications are built upon open-source dependencies. Out of all software weaknesses, 95% are directly attributed to open-source. In the survey, 34% reported difficulty in accurately identifying and tracking these components, making it nearly impossible to comply with regulations or stay protected. The recent easyjson open-source vulnerability is just the latest example of the multifaceted risks inherent with the reliance on open-source components.
Security Professionals Working in Vacuum, Lacking Full-Lifecycle Visibility
Over a third (38%) of respondents said they prioritize the most vulnerable areas within their applications. Unfortunately, this leaves the “less vulnerable” areas within the software supply chain open to attack. AI advancements mean that all vulnerabilities are now exploitable. Security teams’ current lack of visibility into software supply chains’ dependencies means many organizations are likely underestimating true risks.
Nearly a third (29%) of security professionals still lack solutions and processes needed to analyze SBOMs for vulnerabilities. And, unfortunately, without the capabilities to correlate SBOM data with known weaknesses or automate risk prioritization, security professionals lag to address threats and create a widened window of opportunity for attackers.
The AI Double-Edged Sword
While almost all (88%) of respondents agree that AI has the potential to fill some of the visibility gaps, it doesn’t come without its own set of risks. Respondents were most concerned with AI’s privacy risks (35%) and AI code generation and vibe coding risks (26%). Given practices like AI code generation and vibe coding significantly increase the software supply chain attack surface, this makes a lot of sense. And while AI-powered auto-remediation is a great tool in combating increased risk, it is only limited to vulnerabilities for which fixes are available. Over half (70%) of respondents admitted that when a fix isn’t available, they either don;t have or are not sure if they have a remediation plan in place.
Software Supply Chain Security Moving Forward
Software supply chain security and governance is certainly a marathon, not a sprint. The Lineaje research looks beneath the surface of security professionals’ overconfidence and reveals the industry need for full-lifecycle solutions that can provide visibility into all code and fix them at the velocity of digital transformation. With this, teams can make it to the finish line instead of playing catch up.
Join our LinkedIn group Information Security Community!
