Malicious actors have become more adept at targeting the software supply chain
The surge in software supply chain attacks has exposed a lack of readiness among organizations, making every software builder a potential target. To address this growing concern and provide guidance on safeguarding software supply chains, International Data Corporation (IDC) has released a series of reports aimed at raising awareness and helping organizations protect their software development and deployment processes.
Software supply chain security encompasses securing the various components and activities involved in creating and implementing an application, including people, processes, dependencies, and tools. It differs from traditional application security, which focuses on identifying and protecting software vulnerabilities during runtime.
Despite the increasing prevalence of supply chain attacks, many organizations are unaware of their vulnerability and lack adequate protection. According to a recent DevSecOps survey conducted by IDC, less than 30 per cent of respondents recognized a vulnerable software supply chain as a top security gap or exposure. Furthermore, 23 per cent reported experiencing some form of software supply chain breach—a 241 per cent increase compared to the previous year.
Malicious actors have become more adept at targeting the software supply chain, employing sophisticated techniques to avoid detection, and patiently gathering information before launching an attack. These threat actors may range from nation-states to rogue hackers with criminal intent. By exploiting an organization’s application software supply chain, they gain access to proprietary source code, build processes, and automated update mechanisms, facilitating the infection of DevOps pipelines, applications, and potentially compromising customer data.
Numerous high-profile software supply chain breaches have occurred in recent years, including SolarWinds, Codecov, Kaseya, PyTorch, Applied Materials, and the 3CX business phone system attack. While these attacks share the commonality of targeting the software supply chain, they employ diverse techniques, making it challenging to identify and address all possible means of exploitation.
Jim Mercer, Research Vice President of DevOps and DevSecOps at IDC, emphasized the exponential increase in software supply chain breaches and the need for organizations to fortify their application software supply chains to prevent such breaches. He highlighted the risks posed by these attacks, as they provide access to valuable assets like source code and can facilitate lateral movement within an organization.
The rise in software supply chain attacks has prompted the U.S. Federal Government to leverage its purchasing power to enhance security standards, as demonstrated by the May 2021 Executive Order 14028 and the March 2023 National Cybersecurity Strategy. These initiatives have stimulated efforts to develop and track software bill of materials (SBOMs).
Katie Norton, Senior Research Analyst of DevOps and DevSecOps at IDC, acknowledged the significance of SBOMs in securing software supply chains but noted challenges in implementing practices and tools to make them actionable. However, she highlighted the emergence of an ecosystem comprising frameworks, projects, and tools aimed at assisting organizations in establishing SBOM strategies to ensure preparedness for future threats or regulatory requirements.
The reports from IDC underscore the pressing need for organizations to prioritize software supply chain security and take proactive measures to protect their applications. By understanding the risks, implementing best practices, and leveraging tools and frameworks available, organizations can mitigate the growing threat of software supply chain attacks and safeguard their digital assets.