A new Venafi survey finds that 82% of CIOS say their organizations are vulnerable to cyberattacks targeting software supply chains.
The shift to cloud-native development, along with the increased development speed resulting from adopting DevOps processes, has made the challenges associated with securing software supply chains infinitely more complex.
Meanwhile, opponents, motivated by the success of high-profile software supply chain attacks on companies like SolarWinds and Kaseya, are ramping up attacks against software building and distributing environments.
According to the study, the sharp increase in the number and sophistication of these attacks over the past 12 months has brought this issue into strong focus and attracted the attention of CEOs and boards of directors. As a result, CIOs are increasingly concerned about the severe business disruption, loss of revenue, data theft, and customer damage that can result from successful attacks on the software supply chain.
Key findings from the study:
87% of CIOs believe software engineers and developers are compromising security policies and controls to get new products and services to market faster. 85% of CIOs have been specifically instructed by the board or CEO to improve the security of software build and distribution environments. 84% say the budget for the protection of software development environments has increased in the past year.”
“Digital transformation has turned any business into a software developer, and as a result, software development environments have become a huge target for attackers”,” said Kevin Bocek, vice president of Threat Intelligence and Business Development at Venafi.”
“Hackers have found that successful supply chain attacks, especially those targeting machine identities, are extremely efficient and more profitable”,” he says. Bocek has seen dozens of ways to compromise development environments in these types of attacks, including attacks that use open-source software components like Log4j”
“The reality is that developers are more focused on innovation and speed than on securit”,” he says”
“Unfortunately, security teams rarely have the knowledge or resources to help developers solve these problems, and CIOs are just waking up to this challenge”.”
In pursuing faster innovation, the complexity of open source and the speed of development limit the effectiveness of software supply chain security controls. More than 90% of software applications use open-source components, and open-source software’s dependencies and vulnerabilities are extremely complex. CI/CD and DevOps pipelines are typically structured to allow developers to work quickly but not necessarily more securely.
68% implement more security controls, 57% update their review processes, 56% expand the use of code signing, key security control for software supply chains, 47% view the provenance of their open source libraries.”
Libraries like, they need to improve software supply chain security, but it’s extremely difficult to pinpoint exactly where the risks are, which improvements increase e-safety most, and how these changes mitigate risk over tim”.” says Bocek.”
“Wcan’t’t solve this problem using existing methodologies. Instead, we need to think differently about the identity and integrity of the code we build and use, and we need to protect and secure it at every step of the development process on the machine spee”.”