Faced with a growing threat, more than 70 percent confirm current application security solutions fail to protect companies from security threats to the software supply chain
Global research commissioned by ReversingLabs, the industry leader in software supply chain security, and conducted by Dimensional Research has provided evidence that organizations recognize and are impacted by threats to the software supply chain. The ReversingLabs Software Supply Chain Risk Survey found that nearly 90 percent of technology professionals have discovered significant risks in their software supply chain in the past year. More than 70 percent said current application security solutions do not provide the necessary protection.
Dimensional Research surveyed more than 300 global executives, technology and security professionals at all seniority levels with direct responsibility for software at large enterprises. The ReversingLabs Software Supply Chain Risk Survey was designed to identify the sources of software supply chain security vulnerabilities for internally developed, open source, third party, and commercial software, as well as the frequency of these vulnerabilities. Through the study, ReversingLabs also sought to examine the maturity of organizations’ software supply chain security program; the tools currently in use; and the perceived value of those tools in addressing software supply chain security.
The key findings of the ReversingLabs Software Supply Chain Risk Survey are:
Software supply chain issues create ongoing business risks
Nearly all respondents (98 percent) acknowledged that software supply chain issues pose a significant business risk, citing concerns that go beyond code with vulnerabilities, secret disclosures, tampering, and certificate misconfigurations. Interestingly, more than half of technology professionals (55 percent) cited secrets leaked through source code as a serious business risk, followed by malicious code (52 percent) and suspicious code (46 percent). Recent public attention to the disclosure of CircleCI secrets and other breaches has raised awareness of this emerging problem. Software manipulation was cited as a serious risk by 38 percent of professionals in the survey. The revelation of the recent 3CX supply chain attack may draw more attention to that issue.
These sources of risk led to problems for the majority of respondents: Nearly nine out of ten companies discovered security or other software vulnerabilities in their software supply chain in the past 12 months. While open source software has long been seen as the main culprit for security vulnerabilities in the software supply chain, the study finds that internally developed software (47 percent) nearly equals open source (49 percent) for the top source of software problems, followed by commercial software (30 percent).
Companies have no control over the software supply chain… and they know it
Despite the widespread risks of the software supply chain, most companies are ill-equipped to identify and mitigate those risks, according to the study’s findings.
Survey participants overwhelmingly (88 percent) recognized that software supply chain security is an enterprise-wide risk, but only six out of 10 felt their software supply chain defenses were up to the task. 80 percent acknowledged the problem and indicated that their company is directly focused on improving software supply chain security.
The complexity of modern software development is partly to blame for this. For example, more than half of the software development companies that responded to the survey said they used contractors and third-party development companies as part of their software development process. Reliance on third parties increases cyber risk. In fact, according to the World Economic Forum’s Global Cybersecurity Outlook 2022, the number of indirect cyberattacks – successful breaches of companies via third parties – has increased from 44 percent to 61 percent in recent years.
Application security solutions leave gaps in software supply chain protection
Not having the right tools can increase the risk to the software supply chain. Nearly three-quarters (74 percent) of professionals surveyed agreed that traditional application security solutions, including software composition analysis (SCA), static application security testing (SAST), and dynamic application security testing (DAST), are ineffective at protecting businesses against modern software supply chain threats.
Application security testing solutions and software composition analysis are key components of software supply chain security. However, they only address specific risks, such as software vulnerabilities, while leaving gaps. Companies recognize that these solutions alone, or even in combination, are not enough, and almost all of them agree (96 percent) that a dedicated software supply chain security (SSCS) solution is very important, enabling teams to control software release securely monitor through the detection of software supply chain threats, malware, malicious behavior, sabotage and exposure to secrets.
Wanted: Dedicated Software Supply Chain Security
Further defined for respondents, SSCS is described as going beyond SCA solutions that only provide open source license compliance and vulnerability detection, and SAST and DAST solutions that analyze source code quality for vulnerabilities.
Software supply chain risks require evolved application security capabilities that address the full spectrum of challenges introduced by internally developed open source and third-party components, commercial software, and binary misconfigurations. ReversingLabs’ comprehensive Software Supply Chain Security (SSCS) platform goes beyond addressing vulnerabilities and license compliance issues in open source components, providing inspection of internally developed binaries, commercial and third-party code, and identifying malware , malicious behavior, misconfigured certificates, evidence of tampering, version differences, and secrets detection and prioritization.