CIOs largely believe their software supply chain is vulnerable
Internal bureaucracy and barriers hold up roll out of defenses, report finds
Ask 1,000 CIOs whether they believe their organizations are vulnerable to cyberattacks targeting their software supply chains and about 82 percent can be expected to say yes.
Security biz Venafi engaged research firm Coleman Parkes to put that question to as many corporate IT leaders from the US, UK, France, Germany, Austria, Switzerland, Belgium, Netherlands, Luxembourg, Australia, and New Zealand.
The result was an emphatic vote of no confidence.
"The results show that while CIOs understand the risk of these types of attacks, they have yet to grasp the fundamental organizational changes and new security controls they will need to incorporate into their security posture to reduce the risk of supply chain attacks that can be devastating to themselves and their customers," says Venafi's report, which was released on Tuesday.
These IT chiefs will need to understand the situation sooner rather than later – 85 percent report that they've been directed by their CEO or corporate board to take action to improve the security of software development and build environments.
Blame SolarWinds, Codecov, and Kaseya – companies that had their corporate software build tools compromised in sophisticated attacks that affected their customers – not to mention the past five years of poisoned packages at popular open-source software registries.
Sysadmins: Why not simply verify there's no backdoor in every program you install, and thus avoid any cyber-drama?READ MORE
"Digital transformation has made every business a software developer," said Kevin Bocek, VP of threat intelligence and business development for Venafi, in a statement. "And as a result, software development environments have become a huge target for attackers. Hackers have discovered that successful supply chain attacks are extremely efficient and more profitable."
Over the past two years, these attacks have made waves in Washington, leading to federal efforts to strengthen the security of the software supply chain. And since then there have been frequent reminders that modern software development requires too much trust.
Venafi's report finds some action has already been taken for the better. Sixty-eight percent of respondents said they'd implemented more security controls, 56 percent are making more use of code signing, and 47 percent are looking at the provenance of their open source libraries.
Yet security enforcement across organizations often falls short. Some 95 percent of infosec teams have been given authority over the security controls applied to the software supply chain. At the same time, almost a third of those teams lack the power to enforce their policies. According to Venifi's survey, 31 percent of infosec teams can recommend security controls but cannot enforce them.
To that, add a divide between infosec and development – 87 percent of respondents said they believe software developers sometimes compromise security controls and policies to deliver products and services faster.
Venafi, which handles machine identity management, sees its findings as an opportunity to advocate for more code signing in CI/CD build pipelines. A self-serving argument, no doubt, but one aligned with industry initiatives like Sigstore and what security consultants have called for with regard to code registries like NPM.
Code signing of course means you have to protect private code-signing keys – something Codecov didn't quite manage – but no one ever said security is easy. ®