243 views
Photo from Shutterstock

Software compliance bottlenecks hit over half of firms: report

Singapore’s open-source package approvals are the slowest across APAC. 

Over half (54%) of organisations in Singapore need a week or more to produce compliance proof for each application, despite most (95%) claiming to track application ownership.

The finding points to a gap between software security governance and enforcement, according to JFrog’s 2026 Software Supply Chain Security State of the Union report.

The report showed that 67% of respondents in Singapore use network proxy enforcement, the highest amongst the eight surveyed markets. 

The city-state also recorded the highest level of scrutiny for artificial intelligence (AI)-suggested fixes, with 71% saying they carefully review AI-generated recommendations.

However, the survey flagged gaps in enforcement tools and approval processes. About 59% of developers wait a week or more for new open-source package approvals, the slowest rate in the Asia Pacific.

Meanwhile, 18% of organisations have policies against unauthorised AI tools but no mechanism to detect violations, the highest “policy-only” rate in the region.

Only 25% have adopted secrets detection tools, which identify exposed credentials such as passwords, API keys, and access tokens in code.

Manual reviews are also struggling to keep pace with AI-driven development, with 60% of DevSecOps stakeholders in Singapore citing governance and policy enforcement as their top time burden. 

In addition, 41% identified reviewing and hardening AI-generated code as a significant drain on resources.

JFrog also flagged rising global supply chain risks, including a 451% increase in malicious npm packages and 495 weaponised AI models on public registries.

The Singapore findings were based on 174 local respondents, forming part of a global survey of 1,508 full-time security, DevOps, and IT professionals across eight countries

Join Singapore Business Review community
A NOTE FROM SINGAPORE BUSINESS REVIEW

If you've been wondering whether SBR could work for your company — yes, probably.

A lot of the companies we partner with started as readers. They'd been following our coverage for a while, saw their own customers and competitors in it, and eventually asked the obvious question: could we do something with you? The answer is usually yes. The shape of it depends on what you're trying to do.


The options are broader than most people assume — thought leadership articles, sponsored content, industry summits across Southeast Asia, regional awards programmes, podcasts, and media placements in print and digital. Some partners use one channel; most use a mix. We figure out the right combination by starting with your brief, not with our rate card.


So if the question has been on your mind, here's the easy way to ask it.

We'll tell you honestly whether we can help, and how. It's a better use of everyone's time.