New research from threat intelligence firm ReversingLabs Inc. reveals that software development teams are increasingly concerned about the risk of supply chain attacks and tampering, but only a third say they effectively vet the security of developed and published code for tampering.
The typical vector of software supply chain attacks is the exploitation of security flaws that allow attackers to infiltrate systems and spread malicious payloads throughout an organization’s software. The survey of 300 global information technology and security professionals found that while all were well aware of the dangers, companies continue to put themselves at risk for software supply chain attacks.
A surprisingly large 54% of survey respondents said their firm knowingly releases software with potential security risks. That by itself is deeply concerning. When companies know they are releasing software with vulnerabilities, they are immediately exposing themselves to the risk of being hacked.
With no great surprise, 98% of respondents said that using third-party software, including open-source software increases security risks. However, just over half report being able to protect that software from supply chain attacks.
That third-party software, including open-source, could already be compromised is a genuine concern, with 87% saying they know software tampering is a new vector with breach opportunities for bad actors, but only 37% indicate they have a way to detect it across their supply chain.
Of those that can detect software tampering, only 7% do it at each phase of the software development lifecycle. Only one in three actually checks for tampering once an application is final and deployed.
“Executives are acutely aware of software supply chain risks,” Mario Vuksan, chief executive officer and co-founder of ReversingLabs, said in a statement. “That’s not surprising, given the visibility of high profile attacks and the U.S, administration’s directive to set baseline security standards for software sold to the government.
The survey also found that executives are open to adopting tools like software bills of materials to help them manage the complex task of monitoring and detecting supply chain compromises and risks. More than three-quarters of those surveyed said they appreciate the value of an SBoM as a way to test for tampering. However, most companies fail to generate and review SBoMs.
On the same subject, Manoj Nair, general manager of Metallic, a Commvault venture, and Tim Carben, principal information systems engineer at Mitchell International Inc., spoke with Dave Vellante, host of theCUBE, SiliconANGLE Media’s livestreaming studio, last June about the increasing number of supply chain software hacks and the need for extra vigilance:
