Major hurdles anticipated in software distribution networks by 2025

Major hurdles anticipated in software distribution networks by 2025

In a recent report titled "The state of software supply chains: Security challenges, opportunities and the path to resilience with open source software," published in partnership with IDC and Google, Canonical has shed light on the rising challenges in vulnerability and patch management, lack of visibility into software dependencies and supply chains, concerns about trust in software sources, and the urgent need to improve security in open source and AI-related software components.

The report, which surveyed 500 participants from organizations with over 250 full-time employees, highlights several key findings:

Key Findings:

1. Vulnerability and Patch Management: Organizations face increasing difficulty managing and remediating vulnerabilities due to complex and deep dependency chains in software supply ecosystems, notably in open source ecosystems like Python’s PyPI. Vulnerabilities often reside in deep, transitive dependencies, complicating exposure and patching efforts.
2. Visibility and Trust: Most organizations lack sufficient visibility into their software supply chains and software bill of materials (SBOMs). This hampers their ability to identify risk and enforce governance because dependencies and their vulnerabilities remain opaque. Trustworthiness of software sources and open source components is a persistent concern for IT professionals.
3. Open Source and AI Security: The growing integration of open source and AI-generated code amplifies security risks. The complexity of managing AI-influenced components and dependencies demands more sophisticated SBOM analysis, continuous monitoring, and rapid patch management.
4. Regulatory Compliance: New global regulations—such as the US Executive Order 14028, the EU’s Cyber Resilience Act and NIS2 directives, and Japan’s AI transparency guidelines—are making compliance with SBOM and software supply chain security mandatory. However, compliance requires more than generating SBOMs; it demands integration into security workflows and ongoing governance.

Recommendations from the Report:

1. Build High-Quality, Living SBOMs: Organizations should treat SBOMs as dynamic and comprehensive artifacts that are regularly updated and enriched to maintain an accurate picture of their software dependencies and vulnerabilities. SBOMs must be the foundation of security and compliance programs.
2. Enhance Dependency Visibility: Invest in tools and processes that improve the visibility of complex, transitive software dependencies to detect and analyze vulnerabilities quickly and thoroughly.
3. Automate Patch Management and Security Remediation: Use automation to accelerate the monitoring, patching, and testing of vulnerabilities, particularly in open source and AI components.
4. Integrate SBOMs with Software Composition Analysis: Pair SBOMs with automated software composition analysis (SCA) to enforce risk-based policies, governance rules, and scalable remediation workflows across the software development lifecycle.
5. Prioritize Trust and Resilience in Software Sources: Strengthen vetting processes and use hardened containers and virtual machines to build more secure runtime environments, reducing risks from supply chain compromises.
6. Prepare for Regulatory Compliance: Align internal policies and technical controls with evolving regulatory requirements by establishing clear documentation, audit trails, and continuous compliance monitoring, enabling organizations to meet standards while improving security posture.

In summary, the Canonical report emphasizes that managing software supply chain security in 2025 demands deep visibility into dependencies, ongoing management of vulnerabilities, integration of SBOMs into security and compliance workflows, and robust approaches to securing open source and AI-based software components. Automation, continuous monitoring, and adherence to evolving regulations are vital for building resilient software supply chains.

Some additional recommendations from the report include implementing a common compliance framework and automating OS updates for vulnerability management and patching. These findings represent both significant challenges and actionable steps organizations can take to improve security and compliance in complex software ecosystems.

Read also:

• Latest Update in Autonomous Vehicle Sector featuring Applied Intuition, Hesai, Plus, Tesla, Pony.ai, and Wayve
• Challenges impeding the implementation of AI, as cited by Chief Information Security Officers, along with potential solutions
• Latest Updates in Autonomous and Self-Driving Vehicles: Tesla, Cybercab, Robovan, AMCI, Gatik, J.D. Power, AeroVironment and OMNIVISION Making Waves in the Industry
• Data breaches become more costly with the advent of 'Shadow AI', according to a new study.