While progress in terms of locking down software supply chains is being made it continues to be made at a rate that is maddeningly slow.
A recent survey of 397 IT, cybersecurity and application development professionals conducted by Enterprise Strategy Group (ESG) on behalf of Data Theorem found organizations are still struggling with providing security teams with visibility and control of development processes (41%), new builds being deployed to production with misconfigurations, vulnerabilities and other security issues (40%), developers skipping security processes (39%), software released without going through security checks and/or testing (38%), lack of security process consistency across different development teams (38%), security team can’t keep pace with release cadences (34%) and developers’ reluctance to work with security (29%).
A separate survey of 300 global executives, technology and security professionals from ReversingLabs finds 87% of respondents detected significant risks in their software supply chain, including vulnerabilities (82%), secrets leaked through source code (55%), malicious code (52%) and suspicious code (46%) finding their way into software.
Nearly three-quarters (74%) said legacy application security tools, including static application security testing (SAST) (54%), dynamic application security testing (DAST) (42%) and software composition analysis (SCA) (40%), are ineffective against threats to modern software supply chains. Nearly two-thirds (65%), however, acknowledged their organization’s software supply chain security program wasn’t as mature as it should be.
On the plus side, 80% are currently focused on improving security for the software supply chain, with 96% noting a more comprehensive approach to software supply chain security that detects more than vulnerabilities is needed.
Much of the challenge involving securing software supply chains can be traced back to dependencies involving open source software. Many of the maintainers of these projects lack the resources required to address new vulnerabilities as they are discovered so there may be instances where there is no patch available for a known vulnerability.
Even when there is a patch available, it might now be installed because the DevOps teams are concerned updating an open source component might break the application. As a result, IT teams are in effect placing a bet on whether cybercriminals will be able to discover and exploit that vulnerability.
At the same time, the pace at which applications are being built continues to accelerate thanks to the rise of generative artificial intelligence (AI). Much of the code being generated by co-pilots contains the same vulnerabilities as the code that was used to train the underlying general-purpose large language model (LLM) that is at the core of platforms such as ChatGPT. In the short term, at least, it’s probable more vulnerabilities will as a result find their way into production environments at least until LLMs trained used code that has been vetted become more widely accessible.
All these issues will, of course, soon come to a head as more stringent regulations holding organizations accountable for the security of the software they deploy are adopted by governments around the world. Tolerance for sloppy application development processes is dropping as legislative bodies increasingly determine that software developers are a big part of a cybersecurity problem that threatens both national security and the global economy.
IT leaders, naturally, are already under pressure to address these regulatory requirements sooner than later. Many of them are embracing platform engineering as a methodology for centralizing the management of DevOps workflows with an eye toward simultaneously implementing best DevSecOps practices. Arguably, the biggest challenge when it comes to DevSecOps is how fundamentally distributed DevOps workflows are today. It’s simply too difficult to consistently apply security policies across multiple DevOps platforms.
Regardless of the approach, however, securing software supply chains is now a pressing issue that organizations can no longer afford to ignore in a era where cybercriminals are becoming more adept at exploiting vulnerabilities with each passing day.
