The Hidden Vulnerability in Your Software Supply Chain
I read a lot of industry reports based on surveys of one group or another, mostly developers, but it's not often I lay my eyes on one that makes me laugh and shudder at the same time.
The report, "Know the Enemy: What Execs Need to Understand to Secure their Software Supply Chain," was sent to me by the folks at JFrog, best known for Artifactory, a universal DevOps solution for hosting, managing, and distributing binaries and artifacts, but currently billed more expansively as a universal software supply chain platform for DevOps, Security, and MLOps. The report organizes the findings of a global survey of C-level and senior executives, managers, and individual contributors (analysts, specialists, developers, programmers, engineers, etc.) conducted by Atomik Research on behalf of the company.
Here's the funny bit: The research revealed "significant disconnects between senior executives/managers and developers regarding enterprise application security." No! Really? That execs and devs have divergent views on the state of their organizations' security is a hilarious understatement.
Now, the scary part: According to the researchers, malicious actors see the software supply chain (SSC) as the new "soft target," because there are fewer protections in place than in other enterprise systems. They support this conclusion with a troubling statistic: Nearly a quarter of respondent (23%) to a June 2023 survey said their organization experienced some type of SSC breach, which is an increase of 241% from 2022.
Perhaps even scarier, less than a third of respondents (30%) indicated that a vulnerable software supply chain was a top security gap.
This lack of alignment and communication between decision-makers and the teams implementing security protocols is exacerbated, the survey suggests, by the diversity of programming languages and the integration of AI and machine learning (ML) models into software further. More than half of the surveyed organizations use four to nine different programming languages, and a third use more than ten. This variety not only broadens the attack surface but also challenges the ability to maintain consistent security standards.
The report further quantified the disconnect between senior execs and the devs on the ground when it comes to open-source security: While 92% of the responding executives believe their companies have measures in place to detect malicious open-source packages, only 70% of responding developers agree.
The solution might seem obvious: Talk to each other! But the researchers were a bit more specific in their recommendation: Companies should take steps now to adopt a comprehensive, end-to-end application security platform. This platform would unify security practices across the software development lifecycle, integrating automated scanning tools to identify vulnerabilities, unauthorized changes, and compliance issues. And almost as important, it would foster a culture of security awareness and collaboration across all levels of the organization.
The rapid adoption of AI/ML technologies, particularly in regions like the United States, underscores the urgency for robust SSC security frameworks, the report's authors conclude. Executives must recognize that the future of their company hinges, not only on innovation, but also on the resilience and trustworthiness of their software ecosystems.
In the end, securing the software supply chain is not just a technical challenge; it's a strategic imperative. As the lines between development and security blur, the need for cohesive, proactive measures becomes ever more critical. For businesses striving to stay ahead in a competitive market, the message is clear: secure your software supply chain, or risk becoming the next headline in a data breach story.
The folks at JFrog are hosting a webinar focused on the findings of this report on August 20, with Paul Davis, JFrog field CISO, and Aran Azarzar is JFrog's Chief Information Officer. You can register here.
Posted by John K. Waters on July 24, 2024