The biggest challenges in software supply chains in 2025

PARTNER CONTENT A few days ago, Canonical published original research in partnership with IDC and Google. The report is called "The state of software supply chains: Security challenges, opportunities and the path to resilience with open source software". It surveyed 500 participants from organizations with over 250 full-time employees to understand their most pressing issues. It found rising difficulties in vulnerability and patch management, insufficient visibility of software dependencies and the software supply chain, and concerns over the trustworthiness of software sources.

In this article, I will go through the most important findings one by one, outline their implications for organizations in 2025, and give four recommendations for steps you should take to immediately address the most serious concerns that this research uncovered.

Download the report

Key insights from the research

1. Open source underpins critical workloads

Cost, efficiency, and innovation are perpetual goals for every organization and industry. Open source software plays a key role in achieving those objectives.

The report shows that 70 percent of businesses are adopting open source software, which demonstrates that they see open source as a valuable tool for cutting costs, driving innovation, accelerating product development, and improving security while avoiding licenses and vendor lock-in.

The implications are clear: If you're in the 30 percent you're at risk of getting left behind, and should assess the role of open source software in improving your operations.

Without open source, you'll pay more for innovations that make business faster, more cost effective, and more profitable. Whether we're talking about innovations like secure containers, optimized flavors of OSes specific to your hardware, or cloud technologies like Ceph, Kubernetes, and MicroCloud, open source technologies prove that there's a better, more efficient way to do what you do without getting locked into a years-long contract or technology you can't migrate out of.

2. Businesses struggle with their open source supply chains

The reality of modern applications is that software is only as good as its patches. But getting these patches is a complex puzzle that most organizations are struggling to solve. Our research revealed that 9 out 10 organizations would prefer to source packages at the operating system level, but only 44 percent of them do so.

Instead, organizations are pulling software from all over the place, and only when they have to. Most organizations get updates from upstream repositories, and over 50 percent of them do not automatically upgrade to the newest versions. Instead, they wait until new features are needed or the program of free updates stops. This means that many businesses are not patching proactively in order to prevent threats before they happen, leaving them with unacceptable exposures and at risk of cyber incidents.

Many modern security programs can be anti-user and disruptive. Without the context of what a CVE is or what its threat was, the user is left thinking that these (usually vital) security updates are meaningless or superfluous downloads that just get in the way of work.

However, simply delaying or ignoring security updates creates problems. It ignores established best practices, exposes organizations to newly discovered vulnerabilities, and creates more expensive and time-consuming work. That's because the organization has to do intensive, inefficient things like monitoring upstream open source and scanning.

Automated patches through a trusted provider or directly from your OS is the best response to gaps in your patching process. When you patch your apps, systems, or OS through a service like Ubuntu Pro, you're consuming your supply chain updates and security fixes through a trusted source. Most of our patches don't require restarts and have little to no impact or interaction with the user, unless you choose otherwise.

3. Prevailing vulnerability management strategies are unsustainable

Another pressing concern for organizations is the highly demanding security maintenance standards that they have set for themselves. This fits into our later section where we'll discuss the growing pressures of regulatory compliance and the need to demonstrate exceptionally high levels of cybersecurity readiness. In brief, many organizations are setting high targets for patching and vulnerability maintenance that are extremely difficult to keep up with.

Our research shows that 70 percent of organizations mandate vulnerability patching within 24 hours of identification for "high" and "critical" container vulnerabilities. However, just 41 percent of respondents are very or completely confident in their organization's ability to execute this policy. In fact, 40 percent of respondents have trouble keeping track of their dependencies, versions, and updates, and 37 percent feel hampered by limited skills and insufficient tools in their mission to remediate critical vulnerabilities.

This is the hard reality of patching and managing vulnerabilities: it is difficult and time-consuming work. And yet more than 37 percent of respondents are doing all of this work manually: the data shows that seven in 10 organizations spend over six hours per week on patching. Suffice to say, businesses should not be spending an entire day, every single week, on a process that could simply be automated via trusted providers.

Perhaps the easiest way of doing this is to offload the entire burden onto the core of your digital operations: the operating system. Ubuntu has rapidly grown in the last decade as one of the most trusted development platforms in the world, mostly because developers know their apps and systems are protected from critical vulnerabilities in under 24 hours and get security updates for over 36,000 packages for up to 12 years.

4. AI is a major concern

AI is a major concern for businesses. However, the fears of AI aren't about labor replacement or a loss in market competitiveness, but instead about the security risks these new tools carry. Businesses want to use AI for its benefits, but are wary of the challenges it creates around access, data privacy, and security.

According to the survey, 43 percent of organizations are either very or extremely concerned about their ability to secure their AI stack. And perhaps more worryingly, 60 percent of organizations have at best basic security controls to safeguard their AI/ML systems.

This fear goes beyond data breaches and security risks to encompass intellectual property (IP) protection for the AI applications they use or create. The growing risk of shadow AI in their organizations and work is also a worry.

This sort of exposure is untenable. If AI isn't affecting your operations already, it absolutely will in the near future. You need to secure your systems and explore potentially groundbreaking new technologies like confidential computing that can secure your AI system at runtime and protect your IP.

Thankfully, securing your AI stack is often an extension of your overall application security posture management. Even in a rapidly evolving technology and threat landscape, there are powerful techniques you can deploy to create a multi-layered defense that makes the cost of an attack high. These include:

• Swift vulnerability response. Address known threats with Extended Security Maintenance, ensuring rapid patching and protection.
• Zero-day threat containment with AppArmor. Restrict applications to the bare minimum access they need, stopping attackers in their tracks.
• Regulated industry standards. FIPS-compliant cryptography and CIS benchmarks deliver system hardening tailored to your needs.
• Boot-level protection. Secure boot enforces verified code execution, while full disk encryption (FDE) protects sensitive data at rest.
• Next-gen isolation with confidential VMs. Technologies like Intel TDX and AMD SEV SNP create CPU-level isolation, safeguarding data even against hypervisor compromise or insider threats.
• Confidential computing. Confidential computing uses a combination of isolation and remote attestation to protect sensitive data by encrypting it when it's being processed, securing your workloads in untrusted environments.

5. Rising regulation remains a key challenge

A fresh wave of new regulation is affecting businesses of all sizes and industries. Many organizations struggle to understand what these new requirements mean for their operations and systems.

Our research shows that 37 percent of businesses reportedly struggle with knowing how these regulations apply to specific software, systems, or tools. It also found 34 percent unsure how to enforce compliance standards consistently across the affected stacks.

So what would our survey respondents like to see as a solution? 57 percent believe that implementing a common compliance framework would create the most business benefit, and yet only 37 percent of companies follow a unified approach that aligns IT, security, and business.

At Canonical, we understand all too well the challenges that businesses face in the intensifying regulatory landscape. From FedRAMP, DISA-STIG, HIPPA, and FISMA through to FIPS 140-3, CIS, Common Criteria, and the EU Cyber Resilience Act, the compliance standards that businesses must meet go on and on.

Just in the last few months, we've helped real organizations meet these requirements and reap the rewards for doing so: Airlock Digital met client requirements in highly sensitive and heavily regulated industries while achieving 30-40 percent in cost savings and performance improvements. Lucid acquired AWS-compatible and FIPS 140-2 certified packages it needed for FedRAMP compliance, allowing it to market its online collaboration tools to the biggest agencies in the US. Launch Darkly deployed a FIPS-compliant Ubuntu image on AWS to become the first FedRAMP-authorized feature management platform on the market.

Recommendations for meeting these new challenges

Our research demonstrates a need for secure open source tooling and maintenance and for the procurement of open source software from trusted sources. It highlights the need for security maintenance and cloud provisioning that take the time and effort out of delivering cutting-edge software and services. We recommend four actions that are critical for meeting these challenges:

• Explore open source technologies as a strategy to drive innovation, cut cost, and avoid vendor lock-in.

• Bring the software supply chain into the core of software delivery.

• Automate OS updates for vulnerability management and patching so that engineering and security teams can focus on more productive work.

• Identify the impact of regulatory and compliance requirements to determine where secure open source software can strengthen resilience.

Invisible and effortless security, resilient compliance processes, and choosing secure open source that responds flexibly to the changing vulnerability and threat landscape are vital for a competitive business edge. After all, with the right approach, security not only ceases to be a hassle, it becomes a source of real competitive advantage. By following our recommendations, you can ensure that you'll be ready for all the software supply challenges that 2025 brings.

If you want to take a deep dive into all of the data points and results from the survey, download the full report, or find this research and much more information on our website at www.canonical.com 

Download the full report