Despite widespread concern about the perils of software supply chain risks, most publishers remain vulnerable to software supply chain attacks, according to a survey commissioned by ReversingLabs and conducted by Dimensional Research. One key reason: companies are regularly finding vulnerabilities in their code, yet lack tools to detect when those flaws are being misused.
The survey, titled, ‘Flying Blind: Software Firms Struggle To Detect Supply Chain Hacks,’ asked 307 employees ranging from executives, technology, and security professionals at software enterprises about software supply chain risks. Most recognized the peril of software supply chain risks like software tampering, with 87 percent responding they were aware it caused enterprise security breaches.
Software supply chain risks gained prominence due to incidents like the Solarwinds, which was caused by software tampering that included a backdoor for malicious attacks into an upcoming SolarWinds Orion software update, which specifically targeted the build/pre-distribution stage.
More than three-fourths (77 percent) of those surveyed said their company deems a solution that could detect software tampering as “very valuable” or “moderately valuable,” showing high levels of interest.
Specific software supply chain issues for their employers like exploitable software vulnerabilities (66 percent), threats and malware lurking in open source repositories (63 percent), the inability to detect software tampering (51 percent), and vulnerabilities in CI/CD toolchains (40 percent) were identified by the respondents as dangers as well.
Despite the understanding of risk, 37 percent of respondents said their company released software monthly that was subsequently found to have a security vulnerability. For quarterly software releases, 64 percent admitted that software released during that period was subsequently found to contain vulnerabilities following either internal or external review. One in ten said that security issues rarely or never affect the release of software by their organization, meaning they could release software even with awareness of security issues, according to ReversingLabs.
Only 37 percent said their company can detect software tampering in their software supply chain, while 49 percent said no, and 14 percent said they don’t know. A mere 7 percent said they check for software tampering across the entire software development lifecycle phase, and 10 percent said they don’t do it at all.
While ReversingLabs says there are signs of optimism, like rising interest in software bill of materials (SBOM) propelled by a U.S. executive order and federal regulators, around half of those surveyed said they don’t make a SBOM due to a lack of expertise (44 percent), staff (44 percent), and budget (32 percent).
API | DevOps | NIST | ReversingLabs | security | software supply chain