Companies Invest in Software Supply Chain Security

supply chain cyber security
A new survey of 350 application development, information technology and cybersecurity decision makers shows that 34 percent of the companies surveyed had a known open source software vulnerability exploited in their applications in the past 12 months, and 28 percent had been affected by a previously unknown (“zero-day”) vulnerability.

Seventy-three percent of respondents have significantly increased their efforts to secure their organization’s software supply chain in response to attacks against the software supply chain, such as Log4Shell, SolarWinds, and Kaseya. This is reflected in a variety of different security initiatives. These include the adoption of strong multifactor authentication technology (33 percent), investment in application security testing measures (32 percent), and asset discovery to get an up-to-date inventory regarding their attack surface (30 percent). Despite these efforts, 34 percent of organizations admit that their applications were exploited in the past 12 months due to a known open source software (OSS) vulnerability, and 28 percent were affected by a previously unknown (“zero-day”) vulnerability.

As the use of OSS increases, it is naturally present in applications. The current push to improve risk management for the software supply chain has brought the Software Bill of Materials (SBOM) into the spotlight. The use of open source software has exploded, and at the same time, OSS management often remains inadequate. Because of this, it has become very complex to create an SBOM. This is also confirmed by the ESG study: 39 percent of the survey participants see this as one of the problems with the use of open source software.

READ:  What Is Data Theft?

“Companies learn from the headlines about the business impact a software supply chain vulnerability or security breach can have. A proactive security strategy is now a top business priority,” said Jason Schmitt, general manager of Synopsys Software Integrity Group. “Managing open source risk is an important component within managing risk within the software supply chain for cloud-native applications. But we need to recognize that risk goes beyond open source components. Infrastructure-as-code, containers, APIs, code repositories – the list goes on. If you want to ensure a holistic approach to software supply chain security, it’s important to fully consider this list.”

Open source software may be the original supply chain problem. But the shift toward cloud-native application development, has companies thinking about the risks that exist at additional nodes in their supply chain.

This includes not only additional aspects of source code, but also how cloud-native applications are stored, packaged and deployed, and how they connect via application programming interfaces (APIs). Nearly half (45 percent) of respondents see APIs as the most vulnerable attack vector of all, along with data storage repositories (42 percent) and application container images (34 percent).

Nearly all respondents (99 percent) currently use OSS or plan to do so within the next 12 months. However, there are concerns about the maintenance, security and trustworthiness of these open source projects. The biggest concern, however, relates to the extent to which open source is being used in application development. Fifty-four percent of respondents have concerns about “a high percentage of open source in application code.”

READ:  What is Code Injection?

Tim Mackey, Principal Security Strategist at Synopsys Cybersecurity Research Center: “In light of the recent U.S. Presidential Executive Order (14028) to improve cybersecurity in the U.S., the concept of a Software Bill of Materials (SBOM) is of great interest.

Using an SBOM, software operators know which third-party components are included in their applications. Regardless of whether it is open source software, commercial software or software from contracted third parties. This knowledge is critical to developing a patch management process. If it is missing, you will only have an incomplete overview of the software risks present in each application – regardless of their origin. Once the next zero-day vulnerability of Log4Shell proportions occurs (and it will), this information will allow organizations to act quickly and effectively – and defend against third-party software component attacks.”

According to the survey results, the importance of security is increasing and the use of “shifting left” (a concept that allows developers to test security earlier in the development cycle) in cloud-native application development is growing. Still, 97 percent of organizations have been affected by a security incident related to cloud-native applications within the last 12 months.

Faster release cycles are a challenge for all teams when it comes to security. Application developers (41 percent) and DevOps teams (45 percent) agree that developers often skip established security processes, while the majority of application developers (55 percent) believe security teams lack visibility into development processes. Sixty-eight percent of respondents say they place a high priority on adopting developer-centric security solutions and shifting some security responsibilities to developers. This is despite the fact that more developers (45 percent) are currently responsible for application security testing than security teams (40 percent). These developers are twice as likely to use internally developed or open source security tools as they are to use specialized third-party solutions.

READ:  Free vulnerability scan with Nessus Essentials

At the same time, developers play a greater role in software supply chain security for cloud-native applications. But only 36 percent of security teams agree that developers should take responsibility for these tests. The biggest hurdles to developer-led efforts in application security: overburdening developers with additional tools and responsibilities, hampering innovation and speed, and lack of visibility into overall security efforts.