Software Supply Chain
State of the Union 2024

From Innovation to Infiltration: Safeguarding Against the Hidden Dangers in Your Software Ecosystem
We combined responses from 1,200 Security, Development, and Ops professionals, analysis from the JFrog Security Research team, and Artifactory data to understand the state of software supply chain security. Here’s a sample of the findings:
  • The open source supply chain is exploding with hundreds of thousands of new packages added in 2023
  • Organizations need better ways to prioritize remediation with 85% of Critical CVEs examined reduced in severity by the JFrog Security Research team
  • Security tool sprawl is impacting developer efficiency with up to 25% of time spent on security remediation
  • Organizations would rather use AI for security than trust it to write code
Download the report now
By downloading the report you acknowledge the JFrog Privacy Policy

The Software Supply Chain State of the Union Found:

10+ Programming Languages

leveraged by development teams at enterprises

4-9 Application Security Tools

used on average with larger organizations using 10 or more tools

25% of Developer Time

spent on security remediation by the majority of organizations

The old guard continues to
stand strong

JFrog data shows the top technologies organizations use to create production-ready software haven’t changed that much from year to year. Maven, PyPI, NPM, and Docker continue to be the dominant packaging technology ecosystems used by enterprise organizations.

Read more in the report

Not all CVEs are created equal

In a review of over 200 high profile CVEs created in 2023 the JFrog Security Research found the severity of  85% of Critical CVEs and 73% of High CVEs were overstated. Further analysis found that many CVEs are very unlikely to be applicable in the actual development context.

Download the report

Still hungry for more insights?
Download last year’s report.

Download the report