Organizations are strengthening their software supply chain security with the rising threats.

Source – Shutterstock

Organizations are strengthening their software supply chain security efforts to avoid past incidents

  • 73% of respondents think they have significantly increased their efforts to secure the software supply chain for their organizations
  • A study by Enterprise Strategy Group reveals that software supply chain attacks are common in cloud-native apps

Attackers have had to become more inventive with their own approach as a result of software development businesses taking additional measures to secure their applications. Today, the majority of firms are taking action to improve their software supply chain security efforts as software supply chain threats become a more significant cybersecurity challenge.

According to the Anchore 2022 Software Supply Chain Security Report, software supply chain attacks affected more than 70% of survey respondents in the technology sectors in the last 12 months, with 50% of software organizations saying that the attacks had a substantial or moderate impact.

Every conceivable firm wants things quickly—talents, money, profitability, and even code and apps as well. Due to the demand for speed, code and apps may be vulnerable to cybersecurity threats and vulnerabilities.

In response to the rise in security breaches, Synopsys, Inc. unveiled new findings based on a recent study of 350 decision-makers in the fields of application development, information technology, and cybersecurity. The research presented in the eBook “Walking the Line: GitOps and Shift Left Security: Scalable, Developer-centric Supply Chain Security Solutions” by Enterprise Strategy Group (ESG) and partially commissioned by Synopsys Software Integrity Group demonstrates that software supply chain risk goes beyond open source.

The state of the organization’s software supply chain security

73% of respondents claim they have considerably improved their efforts to secure their organizations’ software supply chain through a range of security activities in reaction to software supply chain attacks like Log4Shell, SolarWinds, and Kaseya. Adopting a robust multifactor authentication platform (33%), investing in controls for application security testing (32%), and improving asset discovery to update their organization’s attack surface inventory (30%) are some of these measures.

Despite these efforts, 28% of firms report having experienced a previously undiscovered (“zero-day”) exploit uncovered in open-source software, and 34% of organizations say that their applications have been exploited because of a known vulnerability in OSS within the last 12 months.

Applications using OSS will inevitably become more prevalent as its usage spreads. Software Bills of Materials (SBOMs) have come under increased scrutiny due to pressure to improve supply chain risk management. But as evidenced by the ESG research, which reveals that 39% of survey respondents rated the compilation of SBOMs as a challenge of utilizing OSS, the explosion in OSS usage and poor OSS management have made this work difficult.

The prioritization of a proactive security strategy is now a fundamental business imperative, according to Jason Schmitt, general manager of the Synopsys Software Integrity Group, as organizations become more aware of the potential impact that a software supply chain security vulnerability or breach can have on their business through high-profile headlines.

“While managing open source risk is a critical component of managing software supply chain risk in cloud-native applications, we must also recognize that the risk extends beyond open source components. Infrastructure-as-code, containers, APIs, code repositories—the list goes on and on and must all be accounted for to ensure a holistic approach to software supply chain security,” he added.

Although the growth of cloud-native applications has raised concerns among enterprises, open-source software may have been the original source of supply chain attacks. It also covers how cloud-native applications are packaged, deployed, and used, as well as how they interact with one another via application programming interfaces (APIs).

The software supply chain of cloud-native applications is becoming more secure as a result of developers’ increased involvement, yet only 36% of security teams said they were comfortable with development teams handling testing. The biggest barriers to developer-led application security initiatives continue to be worried about overloading development teams with extra tools and responsibilities, hindering innovation and velocity, and achieving control over security activities.

An upstream vulnerability in one of an organization’s dependencies can affect their application, leaving them open to a potential compromise if they are unaware of what is in their software supply chain.