Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Over 82% of CIOs concerned about software supply chain vulnerability

Venafi has found 82 per cent of CIOs believe their organisations are vulnerable to cyber attacks targeting software supply chains.

user icon
Fri, 10 Jun 2022
Over 82% of CIOs concerned about software supply chain vulnerability
expand image

Venafi's global study of 1,000 CIOs has found that the shift to cloud native development, along with the increased speed in development brought about by the adoption of DevOps processes, has made the challenges connected with securing software supply chains infinitely more complex.

According to Kevin Bocek, vice president of threat intelligence and business development for Venafi, digital transformation has made every business a software developer.

"As a result, software development environments have become huge target for attackers.

============
============

"Hackers have discovered that successful supply chain attacks, especially those that target machine identities, are extremely efficient and more profitable," Bocek added.

Bocek has seen dozens of ways to compromise development environments in these types of attacks, including attacks that leverage open-source software components like Log4j.

"The reality is that developers are focused on innovation and speed rather than security.

"Unfortunately, security teams rarely have the knowledge or the resources to help developers solve these problems and CIOs are just waking up to these challenges," Bocek explained.

Motivated by the success of high-profile software supply chain attacks on companies like SolarWinds and Kaseya, malicious cyber threat actors are stepping up attacks against software build and distribution environments.

The Venafi study found these key findings:

  • 87 per cent of CIOs believe software engineers and developers compromise on security policies and controls in order to get new products and services to market faster;
  • 85 per cent of CIOs have been specifically instructed by the board or CEO to improve the security of software build and distribution environments; and
  • 84 per cent say the budget dedicated to the security of software development environments has increased over the past year.

More than 90 per cent of software applications use open-source components, and the dependencies and vulnerabilities associated with open-source software are extremely complex. CI/CD and DevOps pipelines are typically structured to enable developers to move quickly but not necessarily more securely.

In the push to innovate faster, the complexity of open source and the speed of development limit the efficacy of software supply chain security controls.

CIOs recognise changing the approach to overcome these challenges should be in play:

  • 68 per cent are implementing more security controls;
  • 57 per cent are updating their review processes;
  • 56 per cent are expanding their use of code signing, a key security control for software supply chains; and
  • 47 per cent are looking at the provenance of their open-source libraries.

CIOs have been increasingly concerned about the serious business disruptions, revenue loss, data theft and customer damage that can result from successful software supply chain attacks. The sharp increase in the number and sophistication of these attacks over the last 12 months has brought the issue of the software supply chain vulnerability into sharp focus. As a result, CEOs and boards are now paying attention.

[Related: Aussie disability scheme recipients’ data leaked after NDIS data breach]

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.