Software Supply Chain Security: Current Practices and Challenges

This short survey is part of an independent personal research project I am planning to pursue in 2026. Its aim is to better understand how organisations approach software supply chain security in practice, highlighting the tools and methods in use in the real world, where friction tends to occur, and where confidence may be lower. Through this survey, I am particularly interested in identifying which aspects of current supply chain security approaches work well in day-to-day operations, and where they are perceived as insufficient or difficult to apply in practice.

This is not a sales or marketing exercise. Participation is entirely voluntary and anonymous, and the survey takes approximately 3–5 minutes to complete. Responses will be used solely to identify patterns and common themes across roles and organisations, for personal research and learning purposes only.

Section A - User Context

Q1. Which best describes your role?

A

Security/AppSec

B

DevOps/Platform Engineering

C

Engineering/Development

D

Risk/Compliance/GRC

E

Architecture

F

Other (please specify)

Q2. What is your organisation size?

A

<100 people

B

100-1000 people

C

1000 - 10000 people

D

>10000 people

Q3. How would you describe your organisation?

A

Regulated enterprise (financial services, critical infrastructure, etc.)

B

B2B Software vendor

C

SME/Scale

D

Other (please specify)

Q4. Roughly how many third-party software suppliers or dependencies do you rely on?

A

<50

B

50-200

C

200-1000

D

1000+

E

Unknown

Q5. Which team is the most involved in third-party software risk in your organisation?

A

Security/AppSec

B

Risk/Compliance

C

Procurement/TPRM

D

Engineering/Platform

E

It's unclear/fragmented

Section B - Current Practices and Reality

Q6. How do you currently assess the risk of third-party software suppliers?

A

Questionnaires/Attestations

B

Software Bill of Materials (SBOMs) supplier-provided

C

Internal scanning (Software Composition Analysis (SCA), container scanning, etc.)

D

Supplier Certifications (ISO, SOC2, etc.)

E

Reliance on established or strategic vendors

F

Combination of the above

Q7. Which of the following do you actively use today? (multi-select)

A

SCA/Dependency scannig

B

SBOM generation

C

CI/CD security controls

D

Container image scanning

E

Manual audits/spreadsheets

F

None of the above

Q8. Today most of your supplier trust is based on:

A

Self-reported information

B

Technical evidence you can verify yourself

C

Reputation or market position of the supplier

Q9. When was the last time you updated your risk view of an existing supplier?

A

Onboarding only

B

Annual/periodic review

C

When an incident occurs

D

Continuosly/Automated

E

Not Sure

Q10. If a supplier’s risk posture changed tomorrow (new dependency, new CVE, compromised component), how quickly would you know?

A

Minutes

B

Hours

C

Days

D

Weeks

E

Only after an incident

F

Not sure

Q11. When a critical dependency vulnerability is disclosed, what usually happens?

A

Automated mitigation/blocking

B

Alert -> manual investigation

C

Ticked created, added to issue pipeline, fixed later

D

Acknowledged but not address

E

Not sure/Depends

Q12. Has your organisation ever had to explain software integrity or provenance to a customer or regulator?

A

Yes, frequently

B

Yes, once or twice

C

No, but expecting to

D

No

Q13. How important is continuous visibility into supplier software risk for your organisation today?

Section C – Perceived Limitation and Open Challenges

Q14. What is the hardest part of managing third-party software risk today? (Select up to 3)

A

Supplier questionnaires are slow and low-quality

B

Hard to keep risk information up to date

C

Too many alerts, not enough clarity

D

Lack of technical evidence

E

Difficult audits/Regulatory pressure

F

Poor visibility into transitive dependencies

G

Unclear ownership internally

H

Incident response is reactive and manual

I

Other (please specify)

Q15. Which aspects of your current supply-chain security processes or tools cause the most friction today? (Select up to 3)

A

Too many alerts/Noise

B

Poor visibility into downstream usage

C

Difficulty enforcing policy

D

Runtime blind spots

E

Compliance evidence generation

F

Tool sprawl

G

Limited engineering/executives and leadership board buy-in

H

Not a major concern

Q16. How confident are you that what suppliers declare matches what is actually deployed?

Q17. Where do you feel least confident in your current approach?

A

Build-time controls

B

Artefact distribution

C

Runtime enforcement

D

Downstream/customer assurance

E

Incident response

F

Compliance

Q18. Have you ever discovered a serious issue after software was already deployed?

A

Yes

B

No

C

Not sure

Section D – Perceptions and Desired Outcomes

Q19. Which statement do you agree with most?

A

"We have good visibility but limited control"

B

"We can block issues early but struggle after deployment"

C

"We rely heavily on manual processes"

D

"Our current tools are sufficient"

E

"Other initiatives currently take precedence"

Q20. In an ideal world, what would you want to be able to say with confidence? (Select any that resonate)

A

We know exactly what third-party code is running

B

We can prove supplier compliance at any time

C

We detect supplier risk changes automatically

D

We can respond quickly without redeploying everything

E

Our customers trust our software more

Q21. If you could remove one problem from your current supply-chain security approach, what would it be?

Q22. What would success look like for you one year from now regarding supply-chain risk?

Q23. Who would most likely own or sponsor a solution that improves the way in which your company handles supply chain security?

A

Security

B

Risk/Compliance

C

Engineering/Developers

D

Procurement

E

Executive leadership

F

Unsure

Q24. Which statement best reflects your situation?

A

We actively want better solutions

B

We know this is a problem but haven’t prioritised it

C

We are constrained by tooling / budget

D

We don’t see this as a major issue yet