82 percent of CIOs believe their software supply chains are vulnerable
A new global study of 1,000 CIOs finds that 82 percent say their organizations are vulnerable to cyberattacks targeting software supply chains.
The research from machine identity specialist Venafi suggests the shift to cloud native development, along with the increased speed brought about by the adoption of DevOps processes, has made the challenges connected with securing software supply chains infinitely more complex.
The increase in the number and sophistication of supply chain attacks, like SolarWinds and Kaseya, over the last 12 months has brought this issue into sharp focus, gaining the attention of CEOs and boards.
The study finds 87 percent of CIOs believe software engineers and developers compromise on security policies and controls in order to get new products and services to market faster. At the same time 85 percent of CIOs have been specifically instructed by the board or CEO to improve the security of software build and distribution environments. 84 percent say the budget dedicated to the security of software development environments has increased over the past year.
"Digital transformation has made every business a software developer. And as a result, software development environments have become huge targets for attackers," says Kevin Bocek, vice president of threat intelligence and business development for Venafi. "Hackers have discovered that successful supply chain attacks are extremely efficient and more profitable."
In response to the risks 68 percent are implementing more security controls, 57 percent are updating their review processes, 56 percent are expanding their use of code signing -- a key security control for software supply chains -- and 47 percent are looking at the provenance of their open source libraries.
"CIOs realize they need to improve software supply chain security but it's extremely difficult to determine exactly where the risks are, which improvements provide the greatest increase in security, and how these changes reduce risk over time," adds Bocek. "We can't solve this problem using existing methodologies. Instead, we need to think differently about the identity and integrity of the code we are building and using -- and we need to protect and secure it at every step of the development process at machine speed."
You can read more on the Venafi blog.