Since 2020, software supply chain attacks have surged, primarily exploiting three vectors—software components, build infrastructure, and personnel—yet existing risk management frameworks suffer from task overload and lack empirical evidence to prioritize implementation. Method: We conducted semi-structured interviews with 61 practitioners across nine organizations, applying thematic coding and cross-organizational qualitative analysis grounded in established frameworks. Contribution/Results: This study establishes, for the first time, an empirically grounded, multi-organizational baseline of supply chain security task adoption. Findings reveal high maturity and widespread adoption of personnel-centric tasks, whereas tasks targeting component- and build-infrastructure–based attack vectors remain under-adopted and immature—indicating urgent priority for scaling. This baseline provides actionable, evidence-based guidance for organizations to deploy supply chain security measures differentially and incrementally, aligned with their operational context and maturity stage.

Software supply chain attacks have increased exponentially since 2020. The primary attack vectors for supply chain attacks are through: (1) software components; (2) the build infrastructure; and (3) humans (a.k.a software practitioners). Software supply chain risk management frameworks provide a list of tasks that an organization can adopt to reduce software supply chain risk. Exhaustively adopting all the tasks of these frameworks is infeasible, necessitating the prioritized adoption of tasks. Software organizations can benefit from being guided in this prioritization by learning what tasks other teams have adopted. The goal of this study is to aid software development organizations in understanding the adoption of security tasks that reduce software supply chain risk through an interview study of software practitioners engaged in software supply chain risk management efforts. An interview study was conducted with 61 practitioners at nine software development organizations that have focused efforts on reducing software supply chain risk. The results of the interviews indicate that organizations had implemented the most adopted software tasks before the focus on software supply chain security. Therefore, their implementation in organizations is more mature. The tasks that mitigate the novel attack vectors through software components and the build infrastructure are in the early stages of adoption. Adoption of these tasks should be prioritized.