Software vendors should be held to account for insecure build environments
A new survey from Venafi reveals that 94 percent of executives believe there should be clear consequences -- such as fines and greater legal liability for companies proven to be negligent -- for software vendors that fail to protect the integrity of their software build pipelines.
However, most have done little to change the way they evaluate the security of the software they purchase and the assurances they demand from software providers.
Among other findings, 97 percent of executives believe that software providers need to improve the security of their software build and code signing processes. 96 percent also think that software providers should be required to guarantee the integrity of the code in their software updates.
Despite this, 55 percent report that the SolarWinds hack has had little or no impact on the concerns they consider when purchasing software products for their company. In addition 69 percent say their company has not increased the number of questions they are asking software providers about the processes used to assure the security of their software and verify code.
"There is a clear disconnect between concern about supply chain attacks and improving security controls and processes to mitigate this risk," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. "Executives are right to be concerned about the impact of supply chain attacks. These attacks present serious risks to every organization that uses commercial software and are extremely difficult to defend against. To address this systemic problem, the entire technology industry needs to change the way we build and buy software. Executives can't treat this as just another technical problem -- it's an existential threat. C-level executives and boards need to demand that security and development teams for software vendors provide clear assurance about the security of their software."
The study also shows executives are split on who is responsible for improving the security within their own software development organizations. With 48 percent saying IT security is responsible and 46 percent thinking development teams are responsible.
You can read more on the Venafi blog.