The corporate perimeter is no longer just the thing our teams control and look after, it's our entire third-party supply chain. Every external dependency—be it an open-source library, a SaaS platform, or an AI model we call via API—is a potential entry point and an expectation of security that must be verified.
This threat isn't theoretical. Security teams from all over the cybersecurity industry sense how real it is. The software supply chain is an active crisis, proven by the ripple effect from incidents like Log4Shell, SolarWinds, and MOVEit, where a single flaw in one product created a global fire drill for thousands of organizations.
These events have justifiably elevated supply chain risk to a C-suite concern. The problem is, our security practices have not kept pace with our anxiety. Our new report, The State of Software Supply Chain Security, reveals a dangerous assurance gap. As security leaders, we face a critical contradiction: we know the supply chain is our top risk, but we are failing to mandate the very controls we believe are foundational to security.
Here are the top takeaways from the report.
Takeaway 1: The Supply Chain Threat is a C-Suite Priority
The risk is no longer just an IT problem—it's a board-level business problem. Survey data from our CISO Perspectives Report shows that 68% of security leaders (C-suite and C-1) cite third-party and supply chain issues as a top IT risk. This concern is not based on forecasts, but on recent experience: 69% of organizations were impacted by a software supply chain security event in the past year alone.
Takeaway 2: The First Domino of Risk is Custom Code, Not Components
What’s most encouraging here is that the software industry is not a laggard in security. In fact, Cobalt pentest data reveals the software industry is better than other sectors at managing third-party dependencies, showing a lower prevalence of components with known vulnerabilities.
The industry's real security failures are in its own proprietary code. Software companies are more likely than other sectors to have critical flaws in missing access controls, authentication and sessions, and business logic. This proves that running a simple component scanner is not enough. The real, systemic risk is hidden deep in the vendor's unique, custom-built logic.
Takeaway 3: The Assurance Gap is a Critical Policy Failure
This is the central conflict. There is a near-universal consensus among security professionals on how to find these flaws:
- 94% agree that penetration testing is foundational to a modern security program.
- 90% state that pentesting is "very or extremely important" to their strategy.
Despite this, we have a massive policy blindspot. Our survey found that:
- Only 40% of organizations require pentesting from their software vendors.
- Only 49% rely on reviewing pentest results as a key form of security assurance.
We know what to do, we know why it's important, but we are failing to enforce it where it matters most. This is like a chef who buys meat and produce from people without knowing their food safety qualifications, blindly accepting risk and rolling the proverbial dice.
Takeaway 4: Creating Secure Software is a Monumental Task—But Not an Impossible One
Our report also dug into why software companies struggle with their own code. It’s a perfect storm of:
- Market pressure: The intense, constant demand for new features creates a direct conflict with methodical security testing.
- Modern complexity: The rise of microservices and APIs creates complex, distributed authentication and authorization challenges—which the pentest data proves is the weak spot for software companies.
- Technical debt: Legacy code is often brittle, poorly understood, and deemed too risky to fix, allowing old vulnerabilities to fester.
Using the Wrong Tool for the Job
The 94% of professionals who believe in pentesting are correct by the numbers. It is the only way to find the custom-logic flaws that automated tools miss.
The data proves the software industry's biggest risks are custom-logic flaws driven by speed and complexity. This means we are failing to use the right approach to find the most likely problem. We are trying to vet a custom-built application with a generic checklist, and it's not working.
Despite the complexity of the security challenges, we know what works. We are up to the task because AI-powered, human-led pentesting is designed to find these exact complex, logic-based flaws. Combined with continuous scanning, vulnerability management, and threat intelligence, an offensive security program can reduce—if not eliminate—systemic software supply chain risk.
The question we all have to ask is, of course, whether our third-party dependencies are doing offensive security too.
Recommendations to Close the Assurance Gap
To move from knowing to doing, security leaders must align their vendor risk practices with their security principles. The goal is to make security a mandatory procurement gate, not an afterthought.
- Make proof a prerequisite for procurement. Move beyond trust—trust must be verified. Require an annual, independent penetration test as a non-negotiable, contractual clause for all critical vendors, both at procurement and at renewal.
- Demand the ingredients list. Mandate a machine-readable software bill of materials (SBOM) from vendors. This gives you the power to proactively hunt for component-level risk yourself, without waiting for the vendor to notify you.
- Mandate rigorous API and custom logic testing. Since the data shows the risk is in custom code (access control, authentication), require that vendor pentests include a deep-scope review of all external APIs and core application business logic.
- Create a market incentive for security. By making these requirements mandatory, we (the buyers) create a powerful economic incentive for the entire software industry to invest in building more secure products from the start and, just as importantly, to be diligent in patching and pushing updates when new risks arise.
From Shared Risk to Shared Responsibility
The software supply chain crisis is sustained by our own policy failure. We know modern but human-led pentesting is the answer, but our actions lag behind our conviction.
The most impactful step you can take to secure your organization is to close this assurance gap. Align your procurement policy with your security principles. Stop just believing in the power of pentesting and start requiring it from your supply chain. A company shouldn’t have to be holding your data for you to require a higher level of security excellence every year in the relationship.
Download the full State of Software Supply Chain Security report to get all the data and deeper insights you need to make this case, to your security leadership—and your software vendors.
