Lineaje released new research revealing that 32% of security professionals think they can deliver zero-vulnerability software despite rising threats and compliance regulations. Meanwhile, 68% are more realistic, noting they feel uncertain about achieving this near-impossible outcome. No matter how confident respondents may initially seem, the survey, conducted at RSA Conference 2025, highlights critical blind spots in organizations' software supply chain defenses.

SBOM Adoption Lags Despite Regulatory Pressure

While Software Bill of Material (SBOM) regulations and guidelines continue to increase, organizations vary in their level of adoption. Notably, some organizations do not have enough visibility, while others struggle with insufficient tools and processes. A survey of 100 cybersecurity experts confirmed this critical challenge, revealing the overwhelming and ultimately crippling nature of managing SBOMs in a vacuum.

The urgency of this cannot be overstated, especially given that over 90% of modern codebases are built upon open-source dependencies, and 95% of software weaknesses are directly attributable to this code. A substantial 34% reported difficulty in accurately identifying and tracking open-source components, revealing a critical blind spot where developers and security professionals remain unaware of the elements they are integrating into their software supply chains. The recent easyjson open-source vulnerability, which has been traced back to Russian developers, is the latest incident emphasizing the significant and multifaceted risks inherent in its reliance on open-source components.

Despite the lack of visibility, the RSA survey found that almost half (48%) of security professionals are falling behind global SBOM compliance regulations, including the U.S. Office of Management and Budget (OMB) Memo M-22-18, Executive Order 14028, and the EU Cyber Resilience Act. Lack of compliance opens organizations up to significant fines, potential data breaches, and hurts security-minded customer prospects. 47% have not started SBOM integration or are presently evaluating tools and practices, despite legislation potentially opening their organizations up to legal and financial penalties. 

Security Professionals in Need of Full-Lifecycle Visibility 

In addition, 38% of respondents noted they prioritize the most vulnerable areas within their applications. While this may sound positive at first, this means they are leaving the supposedly less vulnerable areas within the software supply chain open to attack. With advancements in AI, all vulnerabilities are now exploitable. For example, GPT4 can write exploits for 87% of known vulnerabilities. Without full visibility into all of the software supply chains' dependencies, many organizations are likely underestimating risks.  

Unfortunately, nearly a third (29%) of teams still lack the tools and processes needed to analyze SBOMs for vulnerabilities. Without the ability to correlate SBOM data with known weaknesses or automate risk prioritization, organizations face delayed threat times, widening the window of opportunity for attackers to exploit security weaknesses. 

AI Adoption Increases Productivity, And Attack Surface  

Almost all (88%) of respondents reported that AI has the potential to critically or significantly enhance software supply chain security visibility. For example, we've seen a big uptick in organizations' desire to use AI for auto-remediation. This readiness to adopt AI to secure code is driven by the rapid adoption of AI by developers to create code. 

When asked what the most pressing or high-stakes issues that AI is creating for organizations today are, the top two responses were data security and privacy risks (35%), and AI code generation and vibe coding risks (26%). This makes a lot of sense given practices like AI code generation and vibe coding significantly increase the software supply chain attack surface. AI-powered auto-remediation is a great tool in combating this increased risk, however, it is limited to vulnerabilities for which fixes are available. 70% of respondents admitted that when a fix is not available for a vulnerability, they either don't have or are not sure if they have a remediation plan in place. 

"RSA's theme this year, ‘Many Voices. One Community,' emphasized the importance of shedding light on the challenges facing all security professionals. It is heartening to note that security professionals are more aware of security drivers around AI innovations, open-source risks, and increasing regulations," said Javed Hasan, CEO and Co-founder, Lineaje. "However, driving safer digital infrastructure requires more action tied to this awareness. Organizations must leverage holistic solutions that can provide visibility into all code, and fix them at the velocity of digital transformations - so teams can innovate instead of playing catch-up."

See the full survey results here.