IT Brief Ireland - Technology news for CIOs & IT decision-makers
Ireland
Flux result a551e609 c277 41e0 a40d 9441732a3040
#
DevOps
#
Cloud Security
#
Application Security

Cloudsmith survey finds SBOM gaps before cyber law

Fri, 10th Apr 2026
Author image
By Catherine Knowles, News Editor

Cloudsmith has published research finding that most engineering teams do not consistently generate and verify software bills of materials. The results raise questions about how prepared organisations are for the EU Cyber Resilience Act's reporting requirements.

The survey found that only 25% of engineering teams automatically generate and verify SBOMs at every build.

Most teams instead handle the process manually, do it only in response to incidents, or produce documentation only when an auditor requests it. It also found that 74% would struggle to quickly produce a comprehensive report of artifact versions, origins and security attestations if faced with a surprise audit.

The figures come as software supply chain attacks remain in focus after recent incidents involving upstream repositories and package ecosystems. Among respondents, 44% said they had experienced a security incident caused by a third-party dependency in the past year.

Another 44% said their organisation spent more than 50 hours a month investigating potential security issues linked to third-party dependencies, whether or not those issues led to a breach. The findings suggest that even suspected weaknesses in dependency chains are imposing a significant operational burden on development and security teams.

AI Oversight

The research also pointed to limited oversight of AI-generated code. Although 93% of respondents said their organisations use AI-generated code, 31% spend 10 hours or less per month validating, auditing or securing it, including 5% who do not explicitly audit AI-generated code at all.

At the same time, 58% said they spend at least 11 hours each month validating and securing AI-generated code, while 8% spend more than 40 hours. Only 17% said they were very confident that AI was not introducing new vulnerabilities into their codebase.

The report linked those concerns to risks including insecure code generation, hidden dependencies and "slopsquatting", in which AI tools suggest non-existent package names that attackers can later register. That risk sits alongside broader concerns about the volume of third-party code entering development pipelines.

Compliance Pressure

New regulatory demands are adding to that pressure. Under the EU Cyber Resilience Act, companies face a 48-hour deadline to provide a detailed assessment after becoming aware of a breach, meaning they may need to supply provenance data with little warning.

Cloudsmith's data suggests many teams are not in a position to do that quickly. It found that 53% of respondents could produce a comprehensive report of artifact versions, origins and security attestations only with significant manual effort or time.

The survey was based on responses from 505 software development, engineering and security professionals in the United States and United Kingdom. Respondents worked at organisations with more than 500 employees and included executives, platform engineering and DevOps staff, security practitioners and software architects.

Spending Priorities

The report also asked where respondents expected the biggest pressures and investments to fall over the coming year. The top challenges cited were keeping builds and releases available during spikes and third-party outages, meeting new regulatory standards while securing the supply chain, and reducing cloud spend while consolidating toolchains.

Respondents most often pointed to security scanning tools such as SCA and SAST, AI and machine learning operations infrastructure, and internal developer portals as the main areas for investment.

Glenn Weinstein, chief executive officer of Cloudsmith, said the industry was entering a period of change shaped by both automation and new risks.

"We are at a huge inflection point in the history of software development. In a matter of months, we've gone from, 'How can AI help me write better code?' to, 'How can I help AI write better code?' But at the same time, AI tools are expanding the attack surface, introducing more open source dependencies. And those same tools are being used by malicious actors to find more vulnerabilities in existing libraries, leading to more CVEs.

"Agentic development is an incredibly powerful way to build software, and teams will be far more productive and write even more software as a result. That is a good thing, because the world certainly needs more software and more automation. For enterprises to manage this new velocity and productivity, automated guardrails and context are the new keys to unlocking the production of safer, more efficient code."

Related stories
Protegrity launches AI Team Edition for secure inferencing
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Testlio launches AI chatbot testing service amid scrutiny
Dropbox launches three apps inside ChatGPT for work

Top stories

TestRail launches AI test script generation in beta
FIRST conference highlights AI & CVE disclosure push
OpenAI expands Codex with desktop & workflow tools
OpenAI launches GPT-Rosalind for life sciences research
Mirantis integrates NVIDIA Run:ai to speed AI deployment