Lineaje’s latest research uncovers blind spots, regulatory struggles, and a growing urgency for AI-driven solutions in securing modern software supply chains.
At this year’s RSA Conference 2025, Lineaje surveyed 100 cybersecurity professionals and uncovered a striking paradox in software supply chain security: while nearly a third (32%) claim confidence in delivering zero-vulnerability software, the majority (68%) admit uncertainty, revealing a critical misalignment between perception and preparedness.
Despite mounting pressure from global regulations like the such as the U.S. Office of Management and Budget (OMB) Memo M-22-18, Executive Order 14028, and the EU Cyber Resilience Act, nearly half of surveyed professionals (48%) are still lagging behind compliance requirements. Alarmingly, 47% have not yet begun SBOM (Software Bill of Materials) integration or are merely in the evaluation phase. Managing SBOMs in isolation, without proper tools or context, has proven to be an overwhelming challenge. One-third (34%) of respondents reported difficulty identifying and tracking open-source components, leaving organizations exposed to hidden vulnerabilities. The recent vulnerability in the easyjson library, which originated from Russian developers, is just one example of how geopolitical risk and supply chain blind spots can create unexpected threats.
Another potentially troubling trend: 38% of respondents said they only prioritize the most vulnerable areas of their applications. While conceptually this seems practical, advancement in AI mean all vulnerabilities should be considered exploutable. With tools like GPT-4 capable of writing eploits for 87% of known vulnerabilities, all components can become entry points for attackers. Additionally, 29% of security teams still lack the tools to effectively analyze SBOMs, making it nearly impossible to prioritize threats or automate responses. The result is slower detection times and larger windows of opportunity for bad actors.
AI is poised to transform software security, but not without complications. 88% of respondents believe AI can significantly enhance software supply chain visibility and threat response, and many are beginning to explore auto-remediation to keep pace with AI-generated code. However, respondents are cognizant of new risks, with top concerns including data security and privacy risks (35%), and AI code generation and vibe coding risks (26%). It's encouraging to see the adoption of AI-powered remediation tools to help combat these risks, but what about when a fix is not readily available? 70% of professionals admit they lack, or are unsure if they have, a remediation plan for vulnerabilities without known fixes - yikes!
This year’s RSA theme, “Many Voices. One Community,” resonated strongly. Voices in software supply chain security have long touted awareness of the challenges, and our survey results show people are listening. However, awareness alone won’t cut it. Security professionals are juggling growing regulations, the unknowns of AI and the complexity of open-source ecosystems - we, as a community and industry, need to take more action. As organizations face increasing threats and tightening compliance deadlines, the need for full-lifecycle software supply chain security has never been more urgent.
