Supply chain attacks are up, defences are patchy, report

Plenty of awareness, not so much effective action finds Checkmarx

Supply chain attacks are up, defences are patchy, report

Image:
Supply chain attacks are up, defences are patchy, report

Since the SolarWinds and Kaseya attacks in the early years of this decade, the awareness that component libraries and modules can be hijacked and modified to introduce vulnerabilities into enterprise software has grown.

In 2021, the Biden administration released Executive Order (EO) 14028, which charged US agencies with enhancing their cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain. Chief among these was the software bill of materials (SBOM), a formal record containing the details and supply chain relationships of various components used in building software.

The EO certainly raised awareness of the issue, particularly in the US. However, awareness is one thing, putting it into practice something else.

Recently security vendor Checkmarx surveyed 900 application security professionals from around the globe about supply chain security. Computing asked the researchers to split out the UK figures for context.

Globally, 41% of respondents said they were aware of EO 14028 (interestingly all of the 57 UK respondents were aware), but out of only 43% were following its principals (35% in the UK).

Overall, around half of respondents said they were asking third party vendors for SBOMs (42% in the UK) but fewer than half that number felt they were deploying SBOMs effectively. UK respondents were rather more confident in this regard, with 62% expressing believing their SBOM usage to be effective.

The general lack of confidence may be because, according to Checkmarx, deployments have been half-baked.

The vast majority of activity around application security, including the use of SBOMs, occurs in the design and development stage - which makes sense because that's where the evaluation happens.

However, the researchers point out, this is only half the story. The real value of SBOMs is being able to track down where errant modules have been deployed in the event of the emergence of a zero-day vulnerability (a challenge exemplified by the Log4J bug), but organisations are still immature in this regard. Only 3% of resources are dedicated to application security at the maintenance stage of the software development lifecycle.

See also CISA warns about unsafe open source projects

SBOMs are not the only tools for tightening supply chain security. Others include governing access to development repositories, scanning IaC templates, detecting malicious code in open source modules, and establishing artifact repositories for trusted content. In each case around half of the respondents had measures in place, but of those around half were not confident they were being used effectively. UK figures broadly conformed with the overall cohort here.

In part, this lack of confidence may be down to an unclear line of responsibility for the software supply chain. This was evenly split between developers, application security teams, DevOps/DevSecOps and security champions.

In part, Checkmarx suggests, it may be down to security tool sprawl.

"Just like with SBOMs, unlocking the value of AppSec tools depends on operationalising and managing them effectively. This is a perennial struggle for organisations that typically have too many tools and a programme that has grown organically."

Either way, it seems companies have a long way to go before they get ahead of this problem. For those organisations who do not happen to sell software to the US government, for whom EO 14028's provisions are mandatory, protecting effectively against supply chain attacks is apparently still not top-of-mind, even as they are increasing. Sixty-three per cent said they'd experienced some sort of supply chain attack in the last two years.