Organizations are stepping up software supply chain security efforts against the risks posed by the prevalence of open source

ByLance T. Lee

Aug 19, 2022

Software supply chain security is a major concern for most organizations concerned about the prevalence of open source code in their products, a Synopsis and ESG report found.

Subsequently, most organizations have stepped up their supply chain security efforts in light of high profile supply chain attacks such as SolarWinds, Kaseya and Log4Shell.

Synopsys’ Software Integrity Group and Enterprise Strategy Group (ESG) found that 99% of organizations are either using (80%) or planning (19%) to integrate open source software (OSS) within the next 12 months. However, more than half (54%) of respondents were concerned about the prevalence of open source software, while 41% worried about being victimized by hackers targeting popular open source software. Another 40% had problems trusting the origin of open source code, while 39% worried about software bills of materials (SBOM) in OSS.

According to Jason Schmitt, Managing Director of Synopsys, these and other concerns highlight the potential impact of software supply chain vulnerabilities on organizations posed by open source software.

Most Organizations Are Prepared for Software Supply Chain Security Risks

The Synopsys/ESG report found that nearly three quarters (73%) of organizations have adopted measures to secure their supply chains.

Key software supply chain security measures adopted by most organizations include:

  • Strong authentication such as multi-factor authentication (33%)
  • Management visibility into secure development practices (33%)
  • Application security testing controls (32%)
  • Assessment of current security controls (30%)
  • Improved asset discovery (30%)
  • Scan software updates (30%)
  • New detection rules and/or security analysis systems (29%)
  • Software vendor audits (29%)
  • Regular composition analysis (26%)
  • Penetration testing/red team (26%)

According to Melinda Marks, Senior ESG Analyst, organizations seek to understand their OSS components and react quickly to vulnerabilities.

Organizations favor developer-centric approaches to securing the software supply chain

The report said organizations were “moving to the left” by incorporating security practices into early software development cycles to address software supply chain security risks. This “left-shifted” approach meant that developers played a critical role in managing supply chain risk. According to two-thirds (68%) of respondents, this strategy was a priority for their organization.

Therefore, organizations have integrated security-as-code (SaC) strategies, cybersecurity user stories into agile development, and GitOps to mitigate software supply chain security risks. The report found that 59% of organizations have integrated SaC into developer workflows, while 72% believe it will be relevant within the next two years.

Similarly, 63% had adopted cybersecurity user stories in the agile software development process for cloud-native applications, and 55% GitOps to rollback setups.

According to the report, 31% of organizations have had their secrets stolen via Git repositories. Subsequently, 85% of organizations scanned their repositories for secrets, and many found them before they were released to the world.

The Challenges of the “Left Shift” Approach to Software Supply Chain Security

Although the developer-centric approach to securing the supply chain has helped address cybersecurity staffing shortages, most organizations have faced insurmountable challenges.

According to the report, 56% of respondents said their organizations lacked enough analysts to implement security-as-code, while 51% said SaC was not mature enough to be integrated into their organization. cybersecurity strategy.

Additionally, organizations struggled to keep up with the speed and volume of releases. This situation has led to software releases without security controls or testing, according to 45% of respondents.

Similarly, security teams lacked visibility into the development process (43%) and a lack of consistency across development teams (36%).

According to most security respondents, the “shift left” approach isn’t working, with only 34% saying development teams are meeting their security expectations. Additionally, organizations anticipated more challenges when adopting the left shift software supply chain security approach.

Forty-four percent of respondents expected the strategy to overburden developers with security responsibilities or tools, generate more work for security teams (43%), and developers were unqualified for security responsibilities (42%).

Open Source Software Data Breaches Persist Despite Security Efforts

Despite efforts to improve software supply chain security, more than a third (34%) of organizations have experienced a breach related to open source software.

Additionally, more than a quarter (28%) experienced zero-day exploit breaches previously unknown to OSS, according to the Walking the Line: GitOps and Security Shift Left report.

“As organizations see the level of potential impact that a software supply chain security vulnerability or breach can have on their business through headlines, prioritizing a proactive security strategy is now a fundamental business imperative,” Schmitt said.

73% of organizations have strengthened their software supply chain #security efforts to address the risk posed by #opensource code used by 80% of organizations. #respectdataClick to tweet

Although the report indicated that most organizations are on track to address software supply chain security vulnerabilities posed by open source code, more effort is needed to cover all the bases.

Source link