You didn't write 77% of your application. You didn't choose 80% of your dependencies. You can't see 67% of your vulnerabilities (Forrester 2024).
Yet you're responsible for 100% of the breaches.
This is the reality of supply chain security today. To help you understand the landscape and current state of best practices, we analyzed 20 industry reports published in 2024-2025 from Forrester, Veracode, Google Cloud, JFrog, DORA, and other leading security research organizations. Read on to find out what that data reveals about the state of software supply chain security—and what separates teams who are closing the remediation gap from those falling further behind.
The 2025 Supply Chain Security Benchmark
Twenty industry reports from leading security vendors reveal how the supply chain security landscape has evolved:
What These Trends Reveal
The problem grows faster than solutions:
• Open-source adoption accelerates (87% in 2025, up from 74% in 2023)
• Mean Time to Remediation (MTTR) stalls at 252 days (Veracode 2025)
• Organizations add 458 new packages yearly (JFrog 2025)
• Teams fix less than 10% of existing vulnerabilities monthly (Veracode 2025)
The detection paradox:
• Supply chain attacks increased 567% year-over-year (Google Cloud 2025)
• Detection rates dropped to just 3% (Google Cloud 2025)
• 88% of "Critical" CVEs aren't exploitable in context (JFrog 2025)
• When every alert screams "critical," teams tune them all out
The positive trend:
• SCA adoption improving (67% still lack tools, down from 71% in 2023)
• However, first-generation SCA tools focus on detection, not triage or remediation
• That explains why MTTR hasn't improved despite broader tool adoption
Bottom line: The industry solved visibility. Triage and remediation remain unsolved.
The Data Behind Supply Chain Risk
The actual scope of the challenge:
• 77-97% of your code is open source (Forrester Wave SCA Q4 2024, OpenText State of Application Security 2025)
• 80% of vulnerabilities come from transitive dependencies - code you didn't even choose (Forrester 2024)
• 70% of critical security debt originates from third-party code (Veracode State of Software Security 2025)
• Average application has 128 direct dependencies, each with 4+ of their own (Forrester 2024)
• 458 new packages added per organization yearly - each requiring security review (JFrog Software Supply Chain Report 2025)
The Scale Challenge
Let's do the math on a typical application (Forrester 2024):
• 128 direct dependencies
• Each has ~4 dependencies
• Each of those has ~3 dependencies
That's 128 × 4 × 3 = 1,536 potential vulnerability points from a single application.
Most security teams can't manage this scale manually. Teams fix less than 10% of vulnerabilities monthly while 33,000 new CVEs appear yearly. This isn't a people problem—it's a capacity problem.
Why Traditional AppSec Approaches Fall Short in SCA
Even as organizations adopt SCA tools, fundamental gaps remain. Finding vulnerabilities doesn't secure your code—triaging and fixing them does. Four critical failure modes:
1. The Visibility Problem
67% of organizations still lack Software Composition Analysis (SCA) tools (Forrester 2024). Without visibility into dependencies, you're blind to the risks across much of your attack surface.
Even when present, SCA coverage often stops at direct dependencies—missing the deeper, nested code where modern exploits hide. The XZ Utils backdoor in 2024 demonstrated this vulnerability: the malicious code existed in a transitive dependency several layers deep, evading detection by tools that only scanned first-level dependencies.
What's missing: Detection without depth leaves organizations exposed to supply chain attacks that operate in the blind spots of shallow scanning.
2. The False Positive Challenge
88% of "Critical" CVEs aren't actually critical in your context (JFrog 2025). With 1,536 potential issues per application, that's 1,352 false alarms to triage.
This alert fatigue changes behavior. AppSec teams spend 40% of their time on triage rather than fixes (Black Duck Global DevSecOps 2025, Contrast Security 2025). Organizations with high false positive rates have longer MTTRs than those with fewer, more accurate alerts (Veracode State of Software Security 2025). When developers see 1,000 dependency alerts per month with 60-70% false positive rates, they stop looking. If your best engineers are ignoring security alerts, ask what those alerts taught them to expect.
The blind spot: More data creates more noise, not more security. Without intelligent triage, visibility becomes paralysis.
3. The Transitive Dependency Gap
80% of vulnerabilities come from dependencies of dependencies (Forrester 2024). Traditional tools scan direct dependencies. The real risk is 3-4 levels deep.
Recent incidents highlight this blind spot:
• XZ Utils (2024): Compromised maintainer account introduced backdoor in widely-used compression library
• Colorama Python package (2024): Typosquatting attack on transitive dependency affected thousands of projects
• Log4Shell (2021): Exploited through multiple layers of Java dependency chains
Each of these attacks succeeded because they operated at the transitive level where visibility and control are weakest.
Why this fails: First-generation SCA tools were designed for a simpler dependency world. Modern supply chains have an average dependency depth of 4-6 levels—far beyond what manual processes can manage.
4. The Fix Capacity Crisis
Most teams fix less than 10% of vulnerabilities monthly (Veracode 2025). Meanwhile, organizations add 458 new packages yearly, each bringing multiple dependencies. The backlog keeps growing.
True SCA maturity isn't visibility—it's velocity: the ability to triage intelligently, prioritize accurately, and remediate automatically in the same workflow.
The math is unforgiving (DORA State of DevOps 2024):
• Average team: 10-15 developers
• Each developer: ~19% of time on security
• That's ~2.8 FTE-equivalent for security across the team
• With 1,536 potential issues per application × multiple applications = mathematically impossible to keep pace
The capacity wall: Detection scales infinitely through automation. Triage and remediation still require human judgment and human developers. Without automated triage and automated fixes, the backlog compounds indefinitely.
The Supply Chain Attack Landscape
Attackers have industrialized supply chain exploitation:
• 15% of CVEs are exploitable in most environments (JFrog 2025)
• But in a sea of 1,536 potential issues, finding that 15% is nearly impossible
• 567% increase in supply chain attacks year-over-year (Google Cloud Threat Horizons 2025)
• 12 minutes average time to compromise via supply chain (Google 2025)
• 3% detection rate for supply chain attacks (Google 2025)
Attackers shifted left faster than defenders.
The same open-source ecosystem that accelerates development creates attack vectors at scale. A single compromised maintainer account or malicious package affects thousands of downstream projects within hours. Meanwhile, defenders operate at the pace of manual triage and human-authored fixes.
Follow the thread: attackers automated exploitation → supply chain attacks grew 567% → defenders still triaging manually → detection dropped to 3%. Each layer of this failure compounds the next.
Three Generations of SCA Approaches
SCA solutions fall into three distinct categories:
Generation 1: Detection-Only SCA (2010-2020)
Examples: Early SonarQube, Black Duck, WhiteSource (now Mend)
Capabilities:
• Dependency inventory and license compliance
• CVE database matching
• Basic vulnerability alerts
Limitations:
• No context on exploitability
• High false positive rates (80-90% per industry benchmarks)
• No remediation guidance
• Manual triage required for everything
Best for: Organizations just starting SCA adoption, compliance-focused teams.
Generation 2: SCA + Policy Enforcement (2018-2024)
Examples: Snyk, GitHub Advanced Security, modern SonarQube
Capabilities:
• Reachability analysis (is vulnerable code actually called?)
• Policy gates in CI/CD pipelines
• Developer-friendly UI and IDE integration
• Automated PR comments
• Dependency upgrade suggestions
Limitations:
• Still requires manual fixes
• Suggestions often break builds
• No transitive dependency resolution
• Triage still manual—developers still spend 19% of time on security (DORA 2024)
Best for: Mid-maturity teams with strong DevSecOps culture.
Generation 3: Intelligent Triage + Automated Remediation (2023-Present)
Examples: Emerging category with vendors like Pixee, Snyk Autofix, GitHub Copilot Autofix
Capabilities:
• Reachability-based triage that filters non-exploitable vulnerabilities
• Context-aware fix generation tailored to specific codebases
• Automated pull requests with pre-merge testing
• Transitive dependency upgrades with compatibility verification
• Integration with existing scanner ecosystems
Limitations:
• Newer technology with limited track record
• Requires organizational trust in automated decisions
• Coverage varies by language and vulnerability type
• Quality of fixes varies significantly by vendor
Best for: High-velocity teams with large backlogs, enterprises seeking scale.
What the Data Shows
According to the 2024 Forrester Wave for SCA, most organizations still use Generation 1 tools (67% adoption rate overall, but majority using detection-only capabilities). Only 23% of organizations have implemented policy enforcement (Forrester 2024), and less than 5% have deployed intelligent triage and automated remediation at scale (industry analysis).
This explains the MTTR stagnation: teams have visibility but lack the triage intelligence and fix capacity to act on it. The average team runs 5.3 security scanners (industry research), but scanner proliferation hasn't translated to faster remediation.
What High-Performing Teams Do Differently
Top-quartile teams (MTTR under 30 days) share common practices:
1. Reachability Analysis Over Severity Scores
High performers don't treat all "Critical" CVEs equally. They layer multiple signals:
• Reachability analysis: Is the vulnerable function actually called in our code paths?
• Exploit availability: Does a working exploit exist in the wild?
• Asset criticality: Does this affect production, customer-facing systems?
• Compensating controls: Are there WAF rules or network segmentation in place?
Reachability analysis—tracing whether vulnerable code is actually executable in your specific environment—is the single most impactful triage filter. It's why Forrester's 2024 SCA Wave made reachability a key differentiator.
Result: 74% reduction in triage time (Veracode State of Software Security 2025) by focusing only on exploitable, reachable vulnerabilities in critical systems.
2. Clear SLAs By Risk Level
Top teams establish and enforce remediation SLAs (DORA State of DevOps 2024):
• Critical + exploitable + reachable: 7 days
• High + exploitable: 30 days
• Medium or not reachable: 90 days
• Low or false positive: Backlog/ignore
This prevents "everything is urgent" fatigue and lets teams focus on what matters.
3. Automation at Every Layer
High-performing teams automate:
• Detection: SCA integrated into every PR
• Triage: Automated reachability + exploitability checks that eliminate 80%+ of false positives
• Remediation: Automated dependency upgrades that pass tests before developers see them
• Validation: Automated testing of fixes before merge
Result: 91% reduction in developer time spent on security (DORA State of DevOps 2024, Veracode 2025).
4. Developer-First Workflows
Elite teams meet developers where they are:
• Fixes delivered as merge-ready pull requests, not JIRA tickets
• Context included in PR descriptions (what, why, how to test)
• One-click approval for low-risk changes
• Security team focuses on policy, not individual fixes
Result: Early data from automated remediation tools shows significantly higher acceptance rates than manual security tickets. Developers become fix reviewers, not fix authors. When remediation cycles collapse from hours to minutes, developers engage rather than ignore.
5. Continuous Measurement
Top teams track leading indicators:
• Mean Time to Detection (MTTD)
• Mean Time to Remediation (MTTR) by severity
• Fix capacity vs. new vulnerability rate
• Developer time spent on security tasks
• Merge rates for security PRs
These metrics drive continuous improvement.
The SCA Maturity Model: Where Does Your Team Stand?
Industry benchmarks reveal a five-level maturity model for supply chain security:
Level 0: Reactive (33% of organizations)
• No SCA tooling deployed
• Manual dependency tracking in spreadsheets
• Vulnerability discovery via security incidents
• MTTR: Unmeasured (often 365+ days)
Next step: Deploy basic SCA tool with CVE detection.
Level 1: Visibility (34% of organizations)
• SCA tool deployed, generates alerts
• Security team manually triages all findings
• Developers receive Jira tickets
• High false positive rate (80-90% per industry benchmarks)
• MTTR: over eight months (Veracode 2025)
Next step: Implement reachability analysis and policy gates.
Level 2: Policy-Driven (23% of organizations)
• SCA integrated into CI/CD pipeline
• Policy gates prevent vulnerable code from shipping
• Reachability analysis reduces noise
• Some automated dependency updates (Dependabot, Renovate)
• MTTR: 90-180 days (industry benchmarks)
Next step: Establish risk-based prioritization framework and SLAs.
Level 3: Risk-Optimized (8% of organizations)
• Risk-based prioritization (reachability + exploitability + asset criticality)
• Clear SLAs by risk level
• Automated fixes for low-risk changes
• Developer-first workflows (PRs, not tickets)
• MTTR: 30-90 days (Veracode 2025)
Next step: Scale automation to cover more vulnerability types.
Level 4: Continuous Remediation (2% of organizations)
• Automated remediation at scale
• 70%+ of fixes merged without manual intervention (industry benchmarks)
• Continuous measurement and optimization
• Security team focuses on policy, not individual fixes
• MTTR: <30 days (DORA 2024)
Maintaining excellence: Focus on measuring business impact and developer experience.
Where Most Teams Are Stuck
67% of organizations remain at Level 0-1 (Forrester 2024), despite SCA tools becoming table stakes. The gap isn't tooling—it's capacity. Teams have visibility but lack the resources to triage intelligently and act on thousands of findings. Run the numbers on your own team: alerts in vs. fixes out. If that delta grows every quarter, you're looking at a structural problem, not a performance problem.
The bottleneck shifts at each maturity level:
• Level 0-1: Lack of visibility
• Level 1-2: Too much noise (triage overwhelm from false positives)
• Level 2-3: Manual triage capacity constraints
• Level 3-4: Manual fix capacity constraints
High-performing teams solve capacity constraints through intelligent automation at each layer: automated triage to cut through noise, automated remediation to reduce backlogs. The pattern is clear: detection without remediation capacity creates visibility without improvement.
What Would Better Look Like?
Current approaches mean:
• Managing 88% false positives manually (JFrog 2025)
• Taking 252 days to fix 50% of issues (Veracode 2025)
• Adding 458 new packages yearly (JFrog 2025)
• Detecting only 3% of supply chain attacks (Google Cloud 2025)
The data suggests what mature SCA programs need:
Better triage - Reachability and exploitability analysis that filters noise based on your actual code paths, not generic CVE severity scores. Teams using context-aware triage report significant reductions in alert volume.
Automated fixes - Pull requests generated automatically, tested before developers see them. Early adopters of automated remediation tools report higher merge rates than traditional security tickets, though results vary by implementation.
Integration with existing tools - Working with your current scanners rather than replacing them. The goal is adding remediation capacity to your existing detection layer.
Audit trails - Evidence-based decisions with documentation for compliance requirements. Automation doesn't mean black boxes.
The Bottom Line: From Visibility to Velocity
The 2025 supply chain security landscape presents a challenge: organizations have more visibility than ever, yet remediation timelines haven't improved. MTTR remains stalled at over eight months (Veracode 2025). Twenty industry reports reveal why: detection scaled, but triage and remediation haven't.
Key findings from our research:
1. The problem compounds faster than teams can respond - 458 new packages yearly (JFrog 2025), less than 10% of vulnerabilities fixed monthly (Veracode 2025)
2. First-generation tools solved the wrong problem - 67% SCA adoption (Forrester 2024), but 88% false positive rates (JFrog 2025) create triage paralysis, not security improvement
3. High performers automate at every layer - Teams with MTTR under 30 days (DORA 2024) automate triage AND remediation, not just detection
4. The maturity gap widens - Only 2% of organizations operate at Level 4 (Continuous Remediation), while 67% remain at Level 0-1 (Forrester 2024)
77% of your codebase came from open-source dependencies (Forrester 2024). That code is now your responsibility to secure. The data shows manual triage can't scale to manage the noise. Manual remediation can't scale to fix the backlog.
The question worth considering: Is your current approach building toward visibility, or toward velocity? The organizations closing the MTTR gap are asking that question now.
This analysis synthesized data from 20 industry reports including Forrester Wave SCA Q4 2024, Veracode State of Software Security 2025, Google Cloud Threat Horizons 2025, JFrog Software Supply Chain Report 2025, DORA State of DevOps 2024, and others. For specific sourcing or questions about methodology, please reach out.