Global research commissioned by ReversingLabs and conducted by Dimensional Research, revealed that software development teams are increasingly concerned about supply chain attacks and tampering, but barely a third said they can effectively vet the security of developed and published code for tampering.
Dimensional Research surveyed more than 300, global IT and security professionals. Respondents included executives, technology, and security professionals at software enterprises both large and small representing all seniority levels and with digital product or leadership responsibilities.
Despite being aware of the dangers of publishing vulnerable software, the survey found, companies continue to put themselves at risk for software supply chain attacks.
- Companies are rolling the dice with software releases. Among survey respondents, 54 percent said their firm knowingly releases software with potential security risks.
- Third party code increases supply chain risk. 98 percent of respondents reported that third party software use including open-source software increases security risks. However, 51 percent report being able to protect their software from supply chain attacks.
- Software tampering is real, but it’s invisible: 87 percent of security and technology professionals agree that software tampering is a new vector with breach opportunities for bad actors, but only 37 percent indicate they have a way to detect it across their supply chain.
- Of those that can detect software tampering, just seven percent do it at each phase of the software development lifecycle, and just 1 in 3 actually check for tampering once an application is final and deployed.
“Executives are acutely aware of software supply chain risks,” said Mario Vuksan, CEO, ReversingLabs. “That’s not surprising, given the visibility of high profile attacks and the US administration’s directive to set baseline security standards for software sold to the government. We can be confident that organizations recognize that software risks extend beyond vulnerabilities and malware, and that tampering threats represent a growing attack vector opening them up to new risks. Unfortunately, most are still behind in their ability to address tampering.”
The survey also revealed that executives are open to adopting tools like software bills of materials (SBoMs) to help them manage the complex task of monitoring and detecting supply chain compromises and risks. 77 percent of those surveyed said they appreciate the value of an SBoM as a way to test for tampering. However, most companies fail to generate and review SBoMs. Respondents said the complexity and prevalence of tedious, manual processes for creating SBoMs were obstacles. So too were the lack of best practices, processes, and tools, combined with a lack of expertise.
- Only 27 percent of companies currently generate and review SBoMs, and 90 percent indicated increasing difficulty to create and review SBoMs.
- Nearly half of respondents reported SBoM generation and review processes involve manual steps.
- Lack of expertise (44 percent) and inadequate staffing to review and analyze SBoMs (44 percent) were the leading reasons behind companies’ inability to generate and review an SBoM.
“Respondents recognize that tooling and automation is necessary for the detection of tampering at all phases of the software development process. Still, they struggle to advance it in practice,” observed Vuksan.
“As new solutions become available that provide insight into developed code and that can detect tampering before public distribution, organizations can take steps to properly manage their software supply chain risk, and ensure that their code isn’t a victim of tampering by sophisticated cyber actors.”
According to the 2022 Gartner report titled, Innovation Insight for SBOMs, “software supply chain security attacks have exposed the risks associated with commercially procured tools and platforms because you don’t know what’s “inside the box.”
Gartner research goes on to say that “while reusable components and open-source software have simplified software development, this simplicity has exposed a critical visibility gap: Organizations are unable to accurately record and summarize the massive volume of software they produce, consume and operate. Without this visibility, software supply chains are vulnerable to the security and licensing compliance risks associated with software components.”