Board members and CEOs call for improvements in the security of the software supply chain
Venafi®, the inventor and leading provider of machine identity management, announces the results of a global study of 1,000 CIOs, in which 82 percent of respondents said that their companies are vulnerable to cyber attacks on the software supply chain. The transition to cloud-native development and the increased development speed due to the introduction of DevOps processes have made the challenges associated with securing software supply chains infinitely more complex. Meanwhile, motivated by the success of high-profile attacks on companies such as SolarWinds and Kaseya, the attackers are stepping up their attacks on software development and distribution environments.
The sharp increase in the number and sophistication of these attacks over the past 12 months has brought this issue to the center of attention and attracted the attention of CEOs and boards. As a result, CIOs are increasingly concerned about the serious business disruptions, revenue loss, data theft and customer damage that can result from successful attacks on the software supply chain.
The main results of the study:
- 87 Percent of CIOs believe that software engineers and developers compromise on security policies and controls to get new products and services to market faster.
- 85 Percent of CIOs have been specifically instructed by the Board or CEO to improve the security of software development and distribution environments.
- 84 Percent report that the budget allocated for the security of software development environments has increased in the last year.
Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi
“The digital transformation has turned every company into a software developer. As a result, software development environments have become a major target for attackers“” says Kevin Bocek, Vice President of Threat Intelligence and Business Development at Venafi . “Hackers have discovered that successful supply chain attacks, especially those targeting machine identities, are extremely efficient and profitable.“
Bocek has observed literally dozens of ways to compromise development environments in this type of attacks, including attacks that take advantage of open source software components such as Log4j. “The reality is that developers are focusing on innovation and speed rather than security,” Bocek explains. “Unfortunately, security teams rarely have the knowledge or resources to help developers solve these problems, and CIOs are only just becoming aware of these challenges.“
More than 90 percent of software applications use open source components, and the dependencies and vulnerabilities associated with open source software are extremely complex. CI/CD and DevOps pipelines are usually structured to allow developers to progress quickly, but are not necessarily more secure. The complexity of open source and the speed of development limit the effectiveness of security controls in the software supply chain, as innovations are to be implemented faster and faster.
CIOs recognize that they need to change their approach to address these challenges. Results of the study on this:
- 68 Percent implement more security controls
- 57 Percent update their review processes
- 56 Percent expand the use of code signing, an important security check for software supply chains
- 47 Percent check the origin of their open source libraries
“CIOs know they need to improve security in the software supply chain, but it’s extremely difficult to pinpoint exactly where the risks are, which improvements increase security the most, and how these changes reduce risk over time,” Bocek continues. “We cannot solve this problem with the existing methods. Instead, we need to think differently about the identity and integrity of the code we create and use, and we need to protect and secure it at machine speed at every step of the development process.“