Latest research from Canonical and The International Data Corporation (IDC) shows organizations struggle to apply fixes confidently under tough CVE patching mandates, and face other serious challenges in the open source software supply chain
Today, Canonical, the publisher of Ubuntu, published a research report in collaboration with IDC and co-sponsored by Google Cloud that uncovers new insights into the pressures and challenges organizations face with security patching and rising regulatory burdens. The report, titled The state of software supply chains: Security challenges, opportunities and the path to resilience with open source software, surveyed 500 organizations with more than 250 full-time employees to determine the most pressing issues these organizations face. Most notably, these are difficulties in vulnerability and patch management, insufficient visibility of software dependencies or software supply chain, and the trustworthiness of software sources.
Open source software is a popular tool for businesses for a variety of reasons: nearly half (44%) of organizations opt for open source software to reduce costs, while others are using it to increase development speed (36%), according to the report.
However, this adoption has introduced new challenges in maintaining their open source software supply chain. Fifty-seven percent of organizations source their packages from upstream open source repositories, and 51% from ecosystem packages like pip or npm.
The research shows that 9 out of 10 organizations would prefer to source packages from their OS, but only 44% currently do. A small number (11%) report maintaining their own internally curated repositories.
Read all the findings by downloading the report
Maintaining security patches and vulnerability fixes for open source software remains a significant challenge for organizations. Seven in 10 organizations spend over 6 hours per week on patching, which is almost one full workday spent just on manual and time-consuming patching every week.
This challenge is all the more pressing given the strict mandates set for Common Vulnerabilities and Exposures (CVE) fixes: 70% of organizations mandate vulnerability patching within 24 hours of identification for “high” and “critical” container vulnerabilities – but only 41% of respondents are “very confident” or “completely confident” in their organization’s ability to execute on this policy.
All the while, organizations prioritize stability over constant upgrades. The research shows that most organizations wait to update their OS and applications: over 50% of organizations do not automatically upgrade their in-production operating systems or applications to the newest version. Instead, they prefer to wait until new features are needed, or until the asset or application stops receiving free security patches.
“In 2025, organizations face a really tough challenge. There is significant pressure internally to bring the latest and greatest open source to development teams so that they can build on the shoulders of giants,” said Aaron Whitehouse, Senior Public Cloud Enablement Director at Canonical. “At the same time, it is clear that most organizations are struggling to find trusted sources for their open source and keep it secure and compliant at enterprise scale. This is a great validation of the work Canonical has been doing in this space, like the Expanded Security Maintenance (ESM) that we offer as part of Ubuntu Pro and our Container Build Service.”
In addition to these major challenges, organizations will face mounting pressure from new hurdles in 2025, namely cloud management, AI adoption, and increasing regulatory requirements.
Many organizations have multicloud or hybrid environments. The complex nature of these environments results in difficulties or concerns with misconfiguration, identity and access management, and other aspects of security management that more cloud-mature organizations have already navigated.
On the AI front, 43% of organizations are very or extremely concerned about their ability to secure their AI stack, while 60% admit to having only basic or no security controls to safeguard their AI/ML systems.
And finally, 37% of organizations lack an understanding of how compliance regulations apply to specific systems, technologies, and software components. Compliance regimes vary depending on the industry and use case, but whether it’s meeting existing long-time compliance like FedRAMP, GDPR, and HIPAA, or completely new mandates like the AI Act, the sheer number of compliance frameworks make the requirements for a secure supply chain more stringent and difficult to manage. Fifty-seven percent of organizations believe that implementing a common compliance framework would create the most business benefit. Yet only 37% of companies follow a unified approach that strategically aligns IT, security, and business.
These challenges pose significant implications for all organizations due to the growing risks of cyber incidents, out-of-date software and infrastructure, and challenges in staffing.
“The difficulty of gaining visibility into deep dependency roots and addressing risks and vulnerabilities is increasing as organizations’ software usage expands and supply chain complexity grows – and as their software supply chains grow in complexity, IT teams struggle to manage the software stack in a trusted way,” said George Mironescu, Associate Research Director at IDC. “However, no one can afford to compromise their software delivery. In order to overcome the challenges of vulnerability management, AI, and regulatory compliance in 2025, organizations will need to develop new approaches and systems that address the fundamental security and long-term sustainability of their systems and cybersecurity.”
To meet these challenges head-on, businesses will need to bring the software supply chain to the core of software delivery, automate updates for vulnerability management and patching, and implement a common compliance framework or compliance automation tools to address requirements efficiently.
To get all of the insights, findings, and recommendations, download the full report.
About Canonical
Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.
Learn more at https://canonical.com/
About The International Data Corporation
The IDC is the premier global provider of market intelligence, advisory services, and events for the information technology, telecommunications, and consumer technology markets. With more than 1,300 analysts worldwide, IDC offers global, regional, and local expertise on technology and industry opportunities and trends in over 110 countries. IDC’s analysis and insight help IT professionals, business executives, and the investment community to make fact-based technology decisions and to achieve their key business objectives.
Learn more at https://www.idc.com/