Venafi researchers said the shift to cloud-native development, along with the increased speed in development brought about by the adoption of DevOps processes, has made the challenges connected with security software supply chains much more complex.
The study, based on responses from 1,000 CIOs, found that adversaries, motivated by the success of high-profile software supply chain attacks on companies like SolarWinds and Kaseya, are stepping up attacks against software build and distribution environments. As these attacks increase, CIOs have become increasingly concerned about the serious business disruptions, revenue loss, data theft and customer damage that can result.
“Digital transformation has made every business a software developer and, as a result, software development environments have become huge target for attackers,” said Kevin Bocek, vice president of threat intelligence and business development for Venafi. “Hackers have discovered that successful supply chain attacks, especially those that target machine identities, are extremely efficient and more profitable.”
The software supply chain has come into sharp focus recently as more credential and code-based attacks have taken place, said Pan Kamal, head of products at BluBracket. Kamal said the way software gets developed has changed — with the constant need to accelerate the pace of software deployment, security for applications has become more complex as the use of open source software and code from third-party repositories becomes more prevalent.
“Let’s face it,” Kamal said. “Code is everywhere. The cloud infrastructure and operational technology that drives the configuration and operation of our industrial control systems for utilities, water, oil and gas, chemicals, and transportation are all based on code. Software-based configuration opens up vulnerabilities that hackers can exploit to perpetrate attacks. Vulnerabilities in code are contributing to it becoming the largest cyberattack surface. Software supply chains are made up of several disparate software components from multiple sources. These are being targeted to attack critical infrastructure and operational systems.
Andrew Hay, COO at LARES Consulting, said the CIOs are correct in their belief that corners are cut to get new products and services to market, but the blame shouldn't land on the engineers or developers. Hay said in startup environments, engineers aren't the ones determining the speed at which a product gets to market.
“That's the direction of the executive team, sales, marketing and product management teams,” Hay said. “They are the stakeholders that determine what features are dropped or postponed to meet the requirements of prospects and customers. Investment in software security products and solutions ebb and flow. With the move to the cloud, and a renewed focus on supply chain security, we can likely expect to see budget increases and new products or services chasing that money for the next little while.”