Firms increasingly vulnerable to supply chain attacks, says study

While firms have stepped up their cyber security practices in recent years, many of them continue to be particularly vulnerable to cyber-attacks through their supply chains. That's according to a new study conducted by machine identity management provider Venafi that surveyed over 1,000 chief information officers (CIOs) globally, including India. The study stressed that a whopping (82%) CIOs stated that their organisations are vulnerable to supply chain attacks in the last one year. This in turn has caused serious business disruptions, revenue loss, data theft and customer damage. 

The report also found that 87% of CIOs believe software engineers and developers compromise on security policies and controls in order to get new products and services to market faster.  

The study researchers explained that more than 90% of software applications use open-source components. Now, the dependencies and vulnerabilities associated with open-source software are extremely complex. For example, DevOps pipelines are typically structured to enable developers to move quickly but not necessarily more securely. In the push to innovate faster, the complexity of open source and the speed of development limit the efficacy of software supply chain security controls. And that turns out to be a matter of concern. 

Consequently, 85% of CIOs have been specifically instructed by the board or CEO to improve the security of software build and distribution environments – making the situation even more challenging. 

“Digital transformation has made every business a software developer — and as a result, engineers and the software development environments has become huge target for attackers,” Kevin Bocek, vice president of threat intelligence and business development for Venafi, told TechCircle. He added that “Hackers now realise that successful supply chain attacks are extremely efficient and even more profitable.”  

Bocek mentioned that he has seen dozens of ways to compromise development environments in these types of attacks, including attacks leveraging open-source software components like Log4j. “The reality is that developers are focused on innovation and speed rather than security,” Bocek added. 

“Unfortunately, security teams rarely have the knowledge or the resources to help developers solve these problems — and CIOs are just waking up to these challenges,” he said. 

The study recommends, in order to boost software supply chain security, CIOs should implement more cybersecurity controls in their organisations, update their review processes and expand their use of code signing, a key security measure for software supply chains. 

Bocek further said, “The problem cannot be solved by using existing methodologies. Instead, we need to think differently about the identity and integrity of the code we are building and using — and we need to protect and secure it at every step of the development process at machine speed.”