Defending against software supply chain attacks

Defending against software supply chain attacks

Research from Venafi evaluates the impact of software supply chain attacks like SolarWinds but finds that, despite the risks, businesses can’t agree on which team is responsible for the security of software development environments

Global research from machine identity management provider Venafi evaluates the impact of software supply chain attacks like SolarWinds/SUNBURST, CodeCov and Kaseya/REvil on how development organizations are changing their approach to securing software build and delivery environments. The survey evaluated the opinions of over 1,000 information security professionals, developers and executives in the IT and software development industries.

According to Venafi’s survey, respondents nearly unanimously agree (97%) that the techniques and procedures used to attack the SolarWinds software development environment will be reused in new attacks this year. Despite this certainty, there is no alignment between security and development teams on which team should be responsible for improving security in the software build and distribution environments. For example, when asked who is primarily responsible for improving the security of their organization’s software development environments, 48 percent of respondents say their security teams are responsible and 48 percent say their development teams are responsible.

“While the SUNBURST attack on SolarWinds was not the first of its kind, it was certainly one of the most serious so far,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “SUNBURST made it absolutely clear that every organization must take urgent, substantive actions to change the way we secure software build pipelines. The only way to reduce these risks is to dramatically improve the security of the development pipeline and the software it delivers. However, if we can’t even agree on who is responsible for taking these actions it’s pretty clear that we aren’t even close to making meaningful changes. Anyone hoping this problem has been addressed is kidding themselves.”

Additional survey findings survey include:

  • 80 percent of respondents say they are not completely confident in their organization’s ability to defend against attacks targeting software build environments. 
  • 69 percent of developer respondents believe developers are responsible for the security of their organization’s software build process. However, 67 percent of security respondents believe it is the security team’s responsibility.
  • When asked who should be responsible for the security of their organization’s software build process, 58 percent of security respondents say it should be their responsibility and 53 percent of developer respondents say it should be theirs. Just 8% of all respondents suggested that responsibility should be shared.

“As these survey results clearly show, most organizations have not made it clear which team has the incentive or the directives they need to make the changes required. The only way to minimize the risk of future attacks is to enable developers to move fast, from idea to production, without compromising security,” Bocek continued. “Speed of innovation and security are inseparable in software development. In the same way a Formula 1 engineer builds for performance and safety at the same time, software developers also need to be accountable for both. To accomplish this, developers clearly need help and support from security teams. Boards, CEOs, and managing directors need to take action to ensure clear lines of ownership so changes are in place, and they can hold teams accountable.”


For more information, please visit: Whitepaper: https://www.venafi.com/resource/more-solarwinds-style-attacks-whitepaper

Copyright Lyonsdown Limited 2021

Top Articles

Top 6 Mobile App-Related Data Breaches

Smartphones are a prevalent feature in modern life. With more than three billion smartphone users around the world, who downloaded over 200 billion apps in 2019, it comes as no…

Cyber-security blind spots in PaaS and IaaS environments

Research finds that 100% of companies experienced a security incident, but continue to expand their footprint

Popping the hood on deep learning

Now that cyber-criminals have learned how to compromise machine learning defences, deep learning provides a way forward for security teams

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]