Home Tech Updates Organizations increasingly vulnerable to supply chain attacks

Organizations increasingly vulnerable to supply chain attacks

by Helen J. Wolf
0 comment

Venafi has released the findings of a global survey of 1,000 CIOs, in which 82% say their organizations are vulnerable to cyberattacks targeting software supply chains.

The shift to cloud-native development, along with the increased development speed resulting from adopting DevOps processes, has made the challenges associated with securing software supply chains infinitely more complex, the study finds.

Meanwhile, opponents, motivated by the success of high-profile software supply chain attacks on companies like SolarWinds and Kaseya, are ramping up attacks against software building and distributing environments.

The sharp increase in the number and sophistication of these attacks over the past 12 months has brought this issue into strong focus and attracted the attention of CEOs and boards of directors.

Organizations increasingly vulnerable to supply chain attacks

As a result, CIOs are increasingly concerned about the severe business disruption, loss of revenue, data theft, and customer damage that can result from successful attacks on the software supply chain.

Key findings from the study:

87% of CIOs believe software engineers and developers are compromising security policies and controls to get new products and services to market faster. 85% of CIOs have been specifically instructed by the board or CEO to improve the security of software build and distribution environments. 84% say the budget for the protection of software development environments has increased in the past year.

Venafi Vice President Threat Intelligence and Business Development Kevin Bocek said, “Digital transformation has turned every business into a software developer. As a result, software development environments have become a huge target for attackers.

“Hackers have found that successful supply chain attacks, especially those targeting machine identities, are extremely efficient and more profitable.”

Bocek says he has seen dozens of ways to compromise development environments in these types of attacks, including attacks that use open-source software components such as Log4j.

He explains: “The reality is that developers focus more on innovation and speed than security. Unfortunately, security teams rarely have the knowledge or resources to help developers solve these problems, and CIOs are just waking up to these challenges.”

More than 90% of software applications use open-source components, and the dependencies and vulnerabilities of open-source software are extremely complex.

CI/CD and DevOps pipelines are typically structured to allow developers to work quickly but not necessarily more securely. In pursuing faster innovation, the complexity of open source and the speed of development limit the effectiveness of software supply chain security controls. CIOs realize they need to change their approach to address these challenges.

As a result:

68% implement more security controls, 57% update their review processes, 56% expand the use of code signing, and key security control for software supply chains, 47% view the provenance of their open-source libraries

Bocek says, “CIOs realize they need to improve software supply chain security, but it’s extremely difficult to pinpoint exactly where the risks are, which enhancements provide the greatest increase in safety, and how these changes mitigate the change over time. Reduce the time.

“We cannot solve this problem with existing methodologies. Instead, we need to rethink the identity and integrity of the code we build and use — and protect and secure it at machine speed at every step of the development process.”

You may also like