New Articles
  April 24th, 2023 | Written by

Nine Out of 10 Companies Detected Significant Software Supply Chain Security Risks in the Last 12 Months, According to New ReversingLabs Report

[shareaholic app="share_buttons" id="13106399"]

Facing a Growing Threat, More Than 70 Percent Confirm that Current Application Security Solutions Fail to Protect Companies From Software Supply Chain Security Risks

Global research commissioned by ReversingLabs, the market leader in software supply chain security, and conducted by Dimensional Research, revealed evidence that organizations recognize, and have been impacted by, software supply chain security threats. The ReversingLabs Software Supply Chain Risk Survey found that nearly 90 percent of technology professionals detected significant risks in their software supply chain in the last year. More than 70 percent said that current application security solutions aren’t providing necessary protections.

Dimensional Research surveyed more than 300 global executives, technology, and security professionals at all seniority levels directly responsible for software at enterprise companies. The ReversingLabs Software Supply Chain Risk Survey set out to identify the sources of software supply chain security issues across internally developed, open source, third party and commercial software, as well as the frequency of these issues. Through the research, ReversingLabs also sought to investigate the maturity of organizations’ software supply chain security program; the tools currently used; and the perceived value of those tools in addressing the security of the software supply chain.

Key findings of the ReversingLabs Software Supply Chain Risk Survey include:

Software Supply Chain Issues Fuel Ongoing Business Risk

Nearly all respondents (98 percent) recognized that software supply chain issues pose a significant business risk, citing concerns beyond code with vulnerabilities, secrets exposures, tampering and certificate misconfigurations. Interestingly, more than half of technology professionals (55 percent) cited secrets leaked through source code as a serious business risk followed by malicious code (52 percent) and suspicious code (46 percent). Recent public attention on secrets exposure from CircleCI and other breaches has heightened awareness of this emerging issue. Software tampering was cited by 38 percent of professionals in the study as a serious risk. The disclosure of the recent 3CX supply chain attack may drive more attention to that issue.

These sources of risk led to problems for the majority of respondents: almost nine out of 10 companies detected security or other software issues in their software supply chain in the last 12 months. While open source software has long been viewed as the main culprit for software supply chain security issues, the research reveals that internally developed software (47 percent) is nearly tied with open source (49 percent) for the leading source of software issues, followed by commercial software (30 percent).

Enterprises Lack Control of the Software Supply Chain…and They Know It

Despite the prevalence of software supply chain risks, most enterprises are ill-equipped to identify and mitigate those risks, according to the findings of the survey.

Survey participants overwhelmingly (88 percent) recognized that software supply chain security is an enterprise-wide risk, but only six out of 10 felt their software supply chain defenses were up to the task. Acknowledging the issue, 80 percent disclosed that their company is directly focused on improving security for the software supply chain.

The complexity of modern software development is partly to blame. For example, more than half of companies developing software that responded to the survey said they used contractors and third-party development companies as part of their software development process. The reliance on third parties increases cyber risk. In fact, according to the World Economic Forum’s Global Cybersecurity Outlook 2022, indirect cyberattacks—successful breaches coming into companies through third parties—increased to 61 percent from 44 percent in the last several years.

Application Security Solutions Leave Gaps in Software Supply Chain Protection

The lack of proper tools may be exacerbating software supply chain risk. Almost three quarters (74 percent) of professionals surveyed agreed that traditional application security solutions, including software composition analysis (SCA), static application security testing (SAST) and dynamic application security testing (DAST), are ineffective at protecting companies from modern software supply chain threats.

Application security testing and software composition analysis solutions are important components of software supply chain security. However, they only address specific risks such as software vulnerabilities, while leaving gaps. Companies recognize these solutions alone, or even in combination, are not enough, and nearly all agree (96 percent) that a dedicated software supply chain security (SSCS) solution is very important, enabling teams to securely control the release of software via the detection of software supply chain threats, malware, malicious behaviors, tampering and secrets exposures.

Wanted: Dedicated Software Supply Chain Security

Further defined to respondents, SSCS is described as going beyond SCA solutions that only provide open-source licensing compliance and vulnerability detection, and SAST and DAST solutions that analyze source code quality for vulnerabilities.

Software supply chain risks demand evolved application security capabilities that confront the full spectrum of challenges introduced by internally developed, open source- and third party components, commercial software, and binary misconfigurations. ReversingLabs comprehensive Software Supply Chain Security (SSCS) platform surpasses just addressing vulnerabilities and license compliance issues in open source components, providing inspection of internally developed binaries, commercial and third-party code and identifying malware, malicious behaviors, misconfigured certificates, evidence of tampering, version differencing, and secrets detection and prioritization.