Who is responsible for guarding against software supply chain attacks? Who knows!
Software supply chain attacks like that on SolarWinds have become more of a threat in recent months. But when it comes to defending against them businesses can't decide who is responsible according to a new report.
The study from machine identity management company Venafi is based on the opinions of over 1,000 information security professionals, developers and executives in the IT and software development industries.
It finds that 97 percent agree that the techniques and procedures used to attack SolarWinds software development environment will be reused in new attacks this year. But despite this certainty, there is no agreement between security and development teams on where responsibility for improving security in the software build and distribution environments should lie.
When asked who is primarily responsible for improving the security of their organization's software development environments, 48 percent of respondents say their security teams are responsible and 48 percent say their development teams are responsible.
Opinions are split on overall responsibility for the build process too. 69 percent of developer respondents believe developers are responsible, while 67 percent of security respondents believe it's the security team’s responsibility.
When asked who should be responsible for the security of their organization's software build process, 58 percent of security respondents say it should be their responsibility and 53 percent of developer respondents say it should be theirs. Only eight percent of all respondents suggested that responsibility should be shared.
"While the SUNBURST attack on SolarWinds was not the first of its kind, it was certainly one of the most serious so far," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. "SUNBURST made it absolutely clear that every organization must take urgent, substantive actions to change the way we secure software build pipelines. The only way to reduce these risks is to dramatically improve the security of the development pipeline and the software it delivers. However, if we can't even agree on who us responsible for taking these actions it’s pretty clear that we aren't even close to making meaningful changes. Anyone hoping this problem has been addressed is kidding themselves."
Among other findings 80 percent of respondents say they are not completely confident in their organization's ability to defend against attacks targeting software build environments.
A whitepaper on the findings is available from the Venafi site.