High-profile software supply chain attacks have had an impact on security, with many firms taking steps to ensure they have better levels of protection in place.
Worst-case examples from Kaseya and SolarWinds have prompted some activity, with Synopsys Software Integrity Group sharing its findings from research which quizzed application developers, information technologists and cyber security decision-makers.
The headline finding was that the response to software supply chain attacks had seen 73% of respondents revealing they had increased efforts to strengthen security. Efforts to do so had included greater adoption of multifactor authentication, getting security testing controls, improving asset discovery and updating the surface inventory.
Even with those investments, a third of those quizzed reported that applications had been exploited due to a known vulnerability in open source software in the past year.
Open source software has been a supply chain concern for a while, but there are also fears that other areas could be avenues for attackers, including cloud app development and application programming interfaces (APIs).
“As organisations are witnessing the level of potential impact that a software supply chain security vulnerability or breach can have on their business through high-profile headlines, the prioritisation of a proactive security strategy is now a foundational business imperative,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group.
“While managing open source risk is a critical component of managing software supply chain risk in cloud-native applications, we must also recognise that the risk extends beyond open source components,” he added. “Infrastructure-as-code, containers, APIs, code repositories – the list goes on and on, and must all be accounted for to ensure a holistic approach to software supply chain security.”
Research across the security industry continues to stack up to underline the theme that attacks are rising, and ransomware in particular continues to be a major concern.
In a forthcoming opinion article for MicroScope, Jaime Arze, third party risk manager at Datto, said that supply chain attacks have risen dramatically.
“We are seeing a new era of supply chain attacks that affect large numbers of customers, directly or indirectly,” he said. “The incidents that make the headlines are only the tip of the iceberg: there was a 650% surge in supply chain attacks in 2021 alone.”
Arze added that managed service providers (MSPs) were in the firing line and had to take steps to ensure they were not the weak link in the chain.
“MSPs have to first and foremost protect themselves to protect their clients,” he said. “Keep relationships transparent. The level of diligence, security expectations and accountability should grow as vendor relationships deepen. Expecting quality security outcomes from your suppliers will ultimately help protect your clients, too – after all, your clients expect the same from you.”