Majority of CIOs say their software supply chains are vulnerable
- Posted: Wednesday, June 1, 2022 7:42 AM
Venafi has released the findings of a global study of 1,000 IOCs, in which 82 percent say their organizations are vulnerable to cyber attacks targeting software supply chains. The shift to native cloud development, coupled with the increasing speed of development brought about by the adoption of DevOps processes, has made the challenges of security of supply chains much more complex. Meanwhile, adversaries, motivated by the success of high-profile software supply chain attacks on companies such as SolarWinds and Kaseya, are stepping up attacks on software creation and distribution environments.
The sharp increase in the number and sophistication of these attacks over the last 12 months has put this issue in a clear focus, drawing the attention of CEOs and boards of directors. As a result, CIOs are increasingly concerned about serious business disruptions, lost revenue, data theft, and customer damage that can result from successful attacks on the software supply chain.
Key findings from the study include:
- 87 percent of CIOs believe that software engineers and developers are committed to security policies and controls to get new products and services to market faster.
- Eighty-five percent of CIOs have received specific instructions from the board or CEO to improve the security of software creation and distribution environments.
- 84 percent say the budget for security software development environments has increased over the past year.
“The digital transformation has made every company a software developer. And as a result, software development environments have become a big target for attackers,” said Kevin Bocek, vice president of intelligence intelligence. threats and business development of Venafi. “Hackers have found that successful attacks on the supply chain are extremely efficient and more profitable.”
More than 90 percent of software applications use open source components, and the dependencies and vulnerabilities associated with open source software are extremely complex. CI / CD and DevOps pipelines are typically structured to allow developers to move quickly, but not necessarily more securely. In the drive to innovate faster, the complexity of open source and the speed of development limit the effectiveness of software supply chain security controls.
CIOs realize that they need to change their approach to overcoming these challenges. As a result:
- 68 percent are implementing more security checks
- 57% are updating their review processes
- 56 percent are expanding their use of code signing, a key security check for software supply chains
- 47% are looking at the source of their open source libraries.
“CIOs realize that they need to improve the security of the software supply chain, but it is extremely difficult to determine exactly where the risks lie, what improvements provide the greatest increase in security, and how these changes reduce risk over time. “Bocek continued. “We cannot solve this problem with existing methodologies. Instead, we need to think differently about the identity and integrity of the code we are building and using, and we need to protect and secure it at every step of the development process at machine speed. “
Conducted by Coleman Parkes Research, the Venafi survey assessed the views of 1,000 CIOs from six countries / regions: United States, United Kingdom, France, DACH (Germany, Austria, Switzerland), Benelux (Belgium, Netherlands, Luxembourg) and Australasia (Australia, New Zealand).