Digital economies have made almost every business a software developer, making their development environments attractive targets for adversaries. According to a Venafi survey, a company that protects machine identities, 82% of respondents said their organizations are at risk of cyberattacks targeting their software supply chains. The survey included 1,000 CIOs from the United States, the United Kingdom, France, DACH (Germany, Austria, Switzerland), the Benelux and Australia/New Zealand.

As a result of the shift to cloud native development and the adoption of DevOps processes, the challenges related to protecting the software supply chain have become more complex. Meanwhile, cyber criminals are targeting software supply chains in response to the successful attacks on companies like SolarWinds and Kaseya.

Over the past year, the number and complexity of attacks on the software supply chain has also brought this risk to the attention of CEOs and members of the board of directors. Consequently, CIOs are increasingly concerned about the potential business disruptions, revenue loss, information theft, and damage to customers that successful attacks on the software supply chain could cause.

Research results show that 87% of CIOs believe software engineers and developers are compromising security policies and controls to get new products and services to market faster. An impressive 85% of CIOs surveyed have been instructed by their board of directors or CEO to improve the security of software development. The good news is that 84% of respondents say their budgets for software development security have increased over the past year.

Over 90% of all software applications use open source components, while the dependencies and vulnerabilities involved with open source software are extremely complex. DevOps and CI/CD (continuous delivery and/or continuous deployment) processes are usually geared towards allowing developers to work quickly, but not always in the most secure way. Because of the complexity of open source and the speed of development, security controls within the software supply chain cannot keep up with the fast pace of innovation.

To mitigate risk, CIOs realize they need to change their approach. Therefore, more security checks must be performed, code review processes must be updated, code signing must be enhanced, and DevOps engineers must use more stringent processes when choosing which open source libraries to use.

Photo credit: Sigmund