Software Supply Chain State of the Union 2025
Expanding threat landscape jeopardizes software integrity

​

 

We combined responses from 1,400 Security and DevOps professionals, analysis from the JFrog Security Research team, and JFrog Platform data to understand the state of software supply chains today.​​

​

What’s happening in the market

​

• Open-source risk is exploding with MILLIONS of new packages

• CVE data issues obfuscate vulnerability severity and applicability

• Organizations continue to increase the number of security tools used

• Complete visibility of software provenance eludes many organizations

• The AI software supply chain is booming, but so is the risk

​

 

Key takeaways you will get from this report:

 

What’s in Your Software Supply Chain?

• Number of programming languages used in development organizations

• New packages per year per package type

• Top package technologies in use by organizations

• Pace at which new OSS packages are being injected into an organization

 

The Accelerating Risk in Your Software Supply Chain

• Vulnerabilities found in a given technology or package type

• Most common types of vulnerabilities

• Common vulnerability impacts for high profile CVEs 2024

• Severity of the vulnerabilities being introduced into your software supply chain

• Other sources of risk hiding in your code

 

How Organizations are Applying Security Efforts Today

• Sourcing restrictions

• Scanning, scanning, scanning

• Establishing visibility and control across application pipelines

• How much time security efforts are costing your organization

 

The Next Frontier of Risk: AI and Machine Learning Development

• Trends in AI adoption and DevSecOps

• Usage, governance, and scanning of ML model artifacts