Skip to main content
close search
site logo
Dive Brief

Executives fail to make software supply chain security a priority, report finds

Published Sept. 14, 2021
David Jones's headshot
Reporter
Closeup side view of group of mid 20's mobile application developers testing the code and fixing the issues.
gilaxia via Getty Images

Dive Brief:

  • As the software industry struggles to recover from a supply chain security crisis, a research study shows industry executives are saying the right things, but doing very little to back up the rhetoric with decisive action to ensure vendor security.
  • About 94% of IT and development executives agreed that software vendors should have consequences, including fines and increased legal liability, for failing to secure their build process, according to a study by Venafi released Tuesday. The survey of more than 1,000 IT and development professionals included 193 executives that are tasked with both security and software development.
  • However, most respondents have done little to increase the scrutiny of the software purchasing process. Respondents are also divided over which side of the aisle is responsible for software security, with 48% saying IT security is responsible, while 46% say development teams are responsible.

Dive Insight:

The disconnect between the rhetoric and the performance in the software development and security industries are part of an internal debate about which sector should take the lead, according to a key security researcher at Venafi.

The survey shows 97% of respondents agree that the software providers need to improve the security of their build and code signing process. In addition, 96% agree software providers need to guarantee the integrity of code included in software updates.

However, the report shows the industry has done little to back up those words with specific changes in how they police their practices.

More than half of respondents said the nation-state attack on SolarWinds had no impact on any concerns they had about using software. The SolarWinds attack involved a process of inserting malware into the Orion platform through a backdoor.

"The entire technology industry needs to change the way we build and buy software," Kevin Bocek, VP of security strategy and threat intelligence at Venafi. "Much of the disconnect comes from the significant confusion related to who’s responsible for software pipeline security."

The research follows several major attacks that exposed weaknesses in the software supply chain, since late 2020. In July, a ransomware attack by REvil targeted the Kaseya remote monitoring platform. The Biden administration said it would make software security a priority after the SolarWinds attack.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell