73% of organizations have significantly increased software supply chain security according to study
Editor’s brief: Every business today runs on code. Even a retail or food outlet today has code behind its operations, including its inventory control, cashier, and order taking apps on tablets. Considering operations for diverse industries, there is a need for software to be developed, debugged, and deployed fast, especially for businesses where external stakeholders expect results fast. So, while apps are developed fairly quickly, are we sure that cybersecurity risks are also concurrently kept at bay? Leading application security Synopsys commissioned in part a new study conducted by Enterprise Security Group (ESG), which sheds light on how open source software (OSS) adoption in businesses and what Infrastructure as Code (IaC) means. Read more below.
Singapore – Synopsys, Inc. (Nasdaq: SNPS) today revealed new research based on a recent survey of 350 application development, information technology, and cybersecurity decision-makers. The research, conducted by Enterprise Strategy Group (ESG) and commissioned in part by the Synopsys Software Integrity Group, highlighted within the “Walking the Line: GitOps and Shift Left Security: Scalable, Developer-centric Supply Chain Security Solutions” eBook shows that software supply chain risk extends beyond open source.
Seventy-three percent of respondents say they have significantly increased their efforts to secure the software supply chain at their organizations as a result of attacks on software vendors like Log4Shell, SolarWinds, and Kaseya. These include improved asset discovery to update their organization’s attack surface inventory (30%), adoption of strong multifactor authentication technology (33%), and investment in application security testing controls (32%). Despite these measures, 34% of businesses say that a known vulnerability in OSS has been used to exploit their applications in the past year, and 28% say they’ve been hit by a zero-day exploit in OSS.
Inevitably, the presence of OSS in applications will grow in tandem with the scale of its use. Software Bills of Materials are currently under scrutiny as a result of increased pressure to better manage risks in the software supply chain (SBOMs). Despite this, ESG research confirms that 39% of survey respondents identified this task as a challenge of using OSS due to the increasing complexity brought on by the widespread adoption of OSS and the generally poor quality of OSS management.
“As organizations are witnessing the level of potential impact that a software supply chain security vulnerability or breach can have on their business through high-profile headlines, the prioritization of a proactive security strategy is now a foundational business imperative,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “While managing open source risk is a critical component of managing software supply chain risk in cloud-native applications, we must also recognize that the risk extends beyond open source components. Infrastructure-as-code, containers, APIs, code repositories—the list goes on and on and must all be accounted for to ensure a holistic approach to software supply chain security.”
The original supply chain worry may have been open source software, but the move to cloud-native application development has shifted the focus to the potential threats to additional links in the chain. It’s not just about the code anymore; it’s about the storage, packaging, and deployment of cloud-native apps, and the APIs they use to communicate with one another (APIs). Over half of respondents (45%) believe APIs to be the most vulnerable attack vector, followed by data storage repositories (42%) and application container images (34%).
The vast majority of respondents (99%) said that their companies already make use of or plan to make use of OSS within the next 12 months. While there are valid worries about the upkeep, security, and reliability of these open source projects, the widespread adoption of open source within the application development process is the biggest cause for alarm. Having a large amount of open-source application code is the top priority for 54% of businesses.
“With the recent US Presidential Executive Order (14028) to improve the nation’s cybersecurity, there is significant interest around the importance of a concept known as a software Bill of Materials,” said Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center. “Effectively, an SBOM allows operators of software to know what third-party software producers included in their applications, whether it be from an open source, commercial or contracted third party. This knowledge is critical when designing a patch management process, as without it there is an incomplete view of the software risks present in any application—regardless of origin. Armed with this information, once the next zero-day vulnerability of Log4Shell proportions emerges (and it will) your organization will be able to act quickly and effectively to defend against attacks targeting third-party software components.”
Even though there has been a rise in developer-focused security and “shifting left,” a concept that allows developers to perform security testing earlier in the development lifecycle, the survey found that 97% of companies have experienced a security incident involving their cloud-native applications in the previous year.
Security issues are becoming more pressing for all teams as release cycles get shorter. Many members of the application development (41%) and DevOps (45%) teams agree that developers frequently bypass established security processes, while a majority of application developers (55%) agree that security teams lack visibility into development processes. However, more developers (45%) are currently responsible for application security testing than security teams (40%), 68% of respondents said they are highly prioritizing adopting developer-focused security solutions and shifting some security responsibilities to developers. More than twice as many of these programmers use in-house or open-source security tools as they do solutions from specialized third-party vendors.
Yet, only 36% of security teams reported being comfortable with development teams taking responsibility for testing, even though developers are playing a larger role in securing the software supply chain of cloud-native applications. Concerns such as overburdening development teams with additional tooling and responsibilities, disrupting innovation and velocity, and obtaining oversight around security efforts remain the biggest obstacles to developer-led application security efforts.