2025 Software Supply Chain Security Survey

1. How does your organization utilize software bills of materials (SBOMs) in your software development and security processes?

• We generate SBOMs and use them as a compliance and/or security tool
• We generate and sign SBOMs
• We generate SBOMs
• We don’t use SBOMs but plan to adopt them
• We don’t use SBOMs and have no plans to adopt them
• I don't know

How frequently is your organization's SBOM updated?

• With every build
• On a scheduled basis (e.g., weekly, monthly)
• When changes are made
• Other, write in Please enter an 'other' value for this selection.
• I don't know

How is your organization's SBOM shared or made accessible? Select all that apply.

• Internally
• With customers
• With regulators
• Publicly
• Other, write in Please enter an 'other' value for this selection.
• I don't know

What formats does your organization primarily use for its SBOMs? Select all that apply. 

• SPDX
• CycloneDX
• SWID Tags
• Custom
• Other, write in Please enter an 'other' value for this selection.
• I don't know

2. How often does your organization scan applications to detect and identify vulnerabilities?

• Daily
• Weekly
• Monthly
• Quarterly
• Yearly
• Other, write in Please enter an 'other' value for this selection.
• I don't know

3. In what ways are you implementing AI/ML to detect and/or mitigate risk at your organization? Select all that apply.

• AI-assisted code scanning
• Anomaly detection
• Automated security testing (e.g., DAST, pen tests)
• Continuous compliance
• Cyber threat intelligence (CTI)
• Data loss protection
• Fraud detection
• Endpoint security
• IAM

• Incident response
• IoT security
• Next-gen SIEM
• Security awareness training
• Threat detection
• Threat hunting
• Threat modeling
• Other, write in Please enter an 'other' value for this selection.
• None

4. At what stage in the SDLC does your organization first implement security? 

• Planning/analysis
• Design
• Development/coding
• Testing/integration
• Maintenance
• I don't know

6. Which of the following security tools/tests are integrated into your DevOps pipeline? Select all that apply. 

• Static application security testing (SAST)
• Dynamic application security testing (DAST)
• Interactive application security testing (IAST)
• Runtime application self-protection (RASP)
• Static code analysis
• API testing
• "Chaos monkey" or similar (services constantly probing production for vulnerabilities)
• Dependency analysis against CVE lists
• Pre-commit git (or other VCS) hooks with rules focused on security (e.g., secrets in source)
• Other, write in Please enter an 'other' value for this selection.
• I don't know
• None

7. Which of the following software supply chain threats impact your organization? Select all that apply.

• Access control
• Build system threats
• Connected devices
• Container images
• Dependency confusion attacks
• Deployment and runtime risks
• Hard coding secrets
• IaC template mismatch
• Insecure application components
• Open-source vulnerabilities
• Source code integrity
• Toolchain complexity
• Other, write in Please enter an 'other' value for this selection.
• I don't know
• None currently

What are your biggest challenges related to managing security across a complex toolchain? Select all that apply. 

• Lack of visibility across tools/environments
• Inconsistent or duplicated security controls
• Difficulties in automating security tasks
• Tool sprawl/too many platforms
• Lack of team alignment (e.g., dev vs. sec)
• Difficulty correlating data across stages
• Other, write in Please enter an 'other' value for this selection.
• None

8. Which security measures does your organization leverage AI to secure your software supply chains? Select all that apply.

• Anomaly detection
• Automated code review
• Automated rollbacks
• Bug detection
• Code scanning
• Compliance regulations
• Dependency management
• Intelligent protection
• Monitoring
• Patch generation
• Risk assessment
• SBOM validation
• Threat intelligence and/or detection
• Other, write in Please enter an 'other' value for this selection.
• None

9. What are your greatest challenges when leveraging AI to strengthen and secure your software supply chains? Select all that apply. 

• Cost
• Data quality and availability
• Data privacy concerns
• Explainability
• High false positive or negative rates
• Human error
• Integration complexity
• Lack of training data and/or resources
• Lack of internal AI experience/expertise
• Model accuracy
• Regulatory and ethical concerns
• Securing AI technology (e.g., shadow AI)
• Other, write in Please enter an 'other' value for this selection.
• I don't know
• Not applicable

10. Which zero-trust components are actively being implemented in your organization? Select all that apply.

• Identity and access management
• Network segmentation
• Least privilege enforcement
• Continuous authentication/authorization
• Device trust evaluation
• Other, write in Please enter an 'other' value for this selection.
• I don't know
• None

11. What types of tools or platforms are you using to support your zero-trust architecture? Select all that apply. 

• In-house/custom solutions
• Cloud-native solutions (e.g., AWS, GCP, Azure)
• Third-party security tools (e.g., Zscaler, Okta, Palo Alto)
• Open-source tools
• None

12. What strategies does your organization currently use to minimize its software supply chain attack surface? Select all that apply. 

• Regular dependency audits and updates
• Secure SDLC practices
• SBOM generation and validation
• Vendor/software provenance checks
• Restricted access controls (least privilege)
• Runtime protection (e.g., container hardening, EDR)
• Other, write in Please enter an 'other' value for this selection.
• I don't know

13. How confident are you in your organization's ability to build trust across systems and services (e.g., ensuring secure inter-service communication)?

• Very confident
• Somewhat confident
• Neutral
• Not very confident
• Not at all confident

14. What practices do you use to manage and mitigate open-source security risks? Select all that apply.

• Automated dependency scanning
• Incorporating software composition analysis (SCA) tools
• Enforcing SBOM generation
• Blocking unverified or outdated packages
• Regular vulnerability patching
• Use of curated package registries
• License compliance checks
• Other, write in Please enter an 'other' value for this selection.
• I don't know
• None

15. Which best describes your organization's adoption of SCA tools?

• Fully adopted and integrated into our pipelines
• Partially adopted in some teams/projects
• Evaluating SCA tools
• No current use of SCA

What benefits have you observed from using SCA tools? Select all that apply.  

• Faster detection of vulnerable dependencies
• Better license compliance
• Increased developer awareness of OSS risks
• More efficient vulnerability triage
• No significant impact observed yet

16. What cloud environments does your organization operate in? Select all that apply. 

• Single public cloud (e.g., AWS, GCP, Azure)
• Hybrid (on-prem and cloud)
• Multi-cloud
• Private cloud only
• None

What security strategies are most critical to your hybrid or multi-cloud environments? Select all that apply. 

• Unified identity and access management
• Zero-trust architecture
• Cloud workload protection platforms (CWPP)
• Centralized monitoring/logging
• Data encryption and DLP
• Compliance automation
• Other, write in Please enter an 'other' value for this selection.

17. Does your organization use Infrastructure as Code (IaC)? 

• Yes
• No
• I don't know

How frequently does your organization detect misconfigurations in IAC?

• Daily
• Weekly
• Monthly
• Rarely
• Never

What types of IaC-related issues are most commonly found in your pipelines? Select all that apply. 

• Insecure defaults (e.g., open security groups)
• Hardcoded secrets or credentials
• Missing resource limits or quotas
• Inconsistent tagging or metadata
• Configuration drift
• Other, write in Please enter an 'other' value for this selection.
• I don't know
• None

Are you using Policy as Code to enforce infrastructure security standards? 

• Yes, widely adopted
• Partially used in specific pipelines/projects
• Evaluating implementation
• No

18. How prepared is your organization for meeting evolving regulatory compliance standards (e.g., GDPR, CCPA)?

• Fully prepared
• Mostly prepared with minor gaps
• Somewhat prepared
• Not prepared
• I don't know

19. How often do you review or update your software supply chain to remain compliant with regulations? 

• Continuously/real-time monitoring
• Quarterly or monthly reviews
• Annually
• Only when issues arise
• I don't know

20. Which compliance-related practices are currently implemented at your organization? Select all that apply.

• Compliance as Code
• Automated governance policies
• Manual auditing and reporting
• External compliance consulting
• Other, write in Please enter an 'other' value for this selection.
• None

21. Which IAM practices are in place across your software development and deployment environments? Select all that apply.

• Role-based or attribute-based access control (RBAC/ABAC)
• Multi-factor authentication (MFA)
• Centralized identity federation
• Just-in-time (JIT) access provisioning
• Service/machine identities
• Other, write in Please enter an 'other' value for this selection.
• None

22. What data protection methods are currently in use across your CI/CD workflows? Select all that apply. 

• Encryption in transit and at rest
• Data masking or tokenization
• Automated scanning for exposed PII
• DLP (Data Loss Prevention) tools
• Secure secrets management
• Other, write in Please enter an 'other' value for this selection.
• I don't know

23. How would you rate your organization's ability to detect and respond to incidents across the software supply chain? 

• Very strong, fully automated
• Good, some manual processes still in place
• Fair, inconsistent or reactive
• Poor, limited visibility or preparedness
• I don't know

24. What challenges does your organization face in reducing downtime or improving incident response? Select all that apply.

• Manual investigation and response
• Alert fatigue or too many false positives
• Tool fragmentation/poor integration
• Incomplete observability/logging
• Skills or staffing shortages
• Other, write in Please enter an 'other' value for this selection.
• I don't know

25. Has your organization adopted AI/ML-powered tools for threat detection within the software supply chain? 

• Yes, widely adopted across systems
• In limited or pilot use
• Planning to adopt within the next 12 months
• No current plans
• I don't know

What benefits have you seen from the use of AI/ML for threat detection? Select all that apply. 

• Faster detection
• Better threat prioritization
• Fewer false positives
• Greater scalability of security ops
• Better detection of zero-day threats
• No benefits yet/too early to say

26. What is your current SIEM (Security Information and Event Management) status? 

• Fully deployed and actively used
• In early adoption/testing
• Planning to adopt
• Not actively using
• I don't know

What are the biggest challenges or benefits you've experienced with SIEM? Select all that apply. 

• Improved threat visibility and detection
• Alert overload/high false positives
• Difficulty with integration and scalability
• High costs or resource requirements
• Streamlined compliance and reporting
• Other, write in Please enter an 'other' value for this selection.
• I don't know
• Not applicable

27. What types of software are you currently developing? Select all that apply.

• Web applications/Services (SaaS)
• Native mobile apps
• Enterprise business apps (e.g., legacy client/server apps, customized enterprise apps like SAP)
• Boxed software with updates over the web
• Boxed software without further updates over the web
• Embedded software
• High-risk software (bugs and failures can mean significant financial loss or loss of life)
• Other, write in Please enter an 'other' value for this selection.

28. What programming language ecosystems does your company use? Select all that apply.

• Java
• C/C++
• C#
• Go
• JavaScript (client-side)
• Kotlin
• Node.js (server-side JavaScript)
• Python
• Ruby
• PHP
• Rust
• Scala
• TypeScript
• Other, write in Please enter an 'other' value for this selection.

29. What is your primary programming language at work?

• Java
• C/C++
• C#
• Go
• JavaScript (client-side)
• Kotlin
• Node.js (server-side JavaScript)
• Python
• Ruby
• PHP
• Rust
• Scala
• TypeScript
• Other, write in Please enter an 'other' value for this selection.

31. What best describes your primary role in your company? *This question is required.

• Developer/engineer
• Developer team lead
• Technical architect
• Site reliability engineer (SRE)
• DevOps lead
• Sales engineer
• Consultant/solutions architect
• UI/UX designer
• Self-employed and handle everything
• C-level executive
• Quality assurance (QA)
• IT operations (Sysadmin)
• Business manager
• Business analyst
• Other, write in Please enter an 'other' value for this selection.

32. What is the size of your organization in terms of employees? *This question is required.

• Self-employed
• 2-19
• 20-49
• 50-99
• 100-999
• 1,000-9,999
• 10,000+
• Not applicable

33. Do you wish to enter the survey raffle?
Note: You must be a DZone member to enter (you can join here).

• Yes, take me to the next page
• No, I'm finished with the survey