Global survey finds few IT and security professionals
CAMBRIDGE, Mass., June 01, 2022 (GLOBE NEWSWIRE) — A global study commissioned by ReversingLabs, the leader in software supply chain security, and conducted by Dimensional Research, found that software development teams are increasingly concerned about supply chain attacks and tampering, but barely a third said they could effectively audit the security of developed and released code for tampering.
Dimensional Research surveyed more than 300 global IT and security professionals. Respondents included executives, technology and security professionals at software companies large and small, representing all hierarchical levels and with responsibilities in digital products or leadership.
Despite being aware of the dangers of releasing vulnerable software, the survey found that companies continue to expose themselves to software supply chain attacks.
Key findings from the survey include:
- Companies roll the dice with software releases. Among survey respondents, 54% said their company knowingly releases software that poses potential security risks.
- Third-party code increases supply chain risk. Almost all respondents (98%) indicated that the use of third-party software, including open source software, increases security risks. However, just over half (51%) say they are able to protect their software against supply chain attacks.
- Software tampering is real, but it’s invisible: 87% of security and technology professionals agree that software tampering1 is a new vector with breach opportunities for bad actors, but only 37% say they have a way to detect it in their supply chain.
- Of those who can detect software tampering, only 7% do so at each phase of the software development lifecycle, and only 1 in 3 actually check for tampering once an application is final and deployed.
“Executives are acutely aware of the risks in the software supply chain,” said Mario Vuksan, CEO and co-founder of ReversingLabs. “This is not surprising, given the visibility of high-profile attacks and the US administration’s directive to establish basic security standards for software sold to the government. We can be sure that organizations recognize that software risks go beyond vulnerabilities and malware, and that tampering threats represent a growing attack vector opening them up to new risks. Unfortunately, most still lag behind in their ability to fight tampering.
The survey also revealed that leaders are open to adopting tools such as Software Bill of Materials (SBoM) to help them manage the complex task of monitoring and detecting supply chain compromises and risks. . More than three-quarters of respondents (77%) said they appreciate the value of an SBoM as a way to test for tampering. However, most companies fail to generate and review SBoMs. Respondents said the complexity and prevalence of cumbersome manual processes for building SBoMs were barriers. So was the lack of best practices, processes and tools, combined with a lack of expertise.
Other survey results:
- Currently, only 27% of companies generate and review SBoMs, and 90% indicated that it is increasingly difficult to create and review SBoMs.
- Nearly half of respondents indicated that the SBoM build and review processes involved manual steps.
- Lack of expertise (44%) and insufficient staff to review and analyze SBoMs (44%) were the top reasons for companies’ inability to generate and review an SBoM.
“Respondents recognize that tooling and automation are necessary for tamper detection at all phases of the software development process. Yet they struggle to advance it in practice,” observed Vuksan. “As new solutions become available that provide insight into developed code and can detect tampering before public distribution, organizations can take steps to properly manage their software supply chain risks and ensure that their code is not tampered with by sophisticated cyber actors. ReversingLabs is leading the way today, helping development teams improve the secure quality of software releases and giving security operations teams the visibility needed to be more proactive in the incident response and threat hunting processes.
According to Gartner 2022® report titled, Innovation Snapshot for SBOMs, “software supply chain security attacks have exposed the risks associated with off-the-shelf tools and platforms because you don’t know what’s ‘inside the box.’ Gartner’s research goes on to say that “although reusable components and open source software have simplified software development, this simplicity has revealed a critical lack of visibility: organizations are unable to accurately record and summarize the volume mass of software that they produce, consume and exploit. Without this visibility, software supply chains are vulnerable to security and licensing compliance risks associated with software components.
Companies lack tools to detect software tampering and supply chain hacks
Full report from ReversingLabs, Flying Blind: Software companies struggle to detect supply chain hacks, covering the results of the survey, is available immediately. To learn more about the results, go to Insight and infographics.
Early access to ReversingLabs secure.software
In 2021, ReversingLabs launched its Managed Software Assurance Service to protect the software development and release process against sophisticated software supply chain attacks. The service provides threat research-based analysis and security interpretation of software package security quality, audit tracking and remediation. ReversingLabs is integrating this service into its soon to be launched ReversingLabs secure.software solution and will be demonstrating these capabilities at the RSA conference taking place June 6-9 at the Moscone Center in San Francisco. To learn more, visit ReversingLabs at booth #4429 or register for early access to ReversingLabs secure.software at https://secure.software.
ReversingLabs secure.software provides software supply chain security protection for CI/CD workflows, containers, and release packages. It is the only integrated platform that detects high-risk threats, malware, backdoors, exposed secrets, and software tampering throughout the software development lifecycle. Organizations and DevSecOps teams producing software are empowered to prevent modern software supply chain attacks from reaching production or customer environments, without impacting developer productivity and at the speed needed to maintain release cycles. post on time.
About Reversing Labs
ReversingLabs enables modern software development and security operations center teams to protect their software releases and organizations against sophisticated software supply chain security attacks, malware, ransomware, and other threats.
The ReversingLabs Titanium platform scans any file, binary, or object, including those that evade traditional security solutions. It is a privacy-centric hybrid cloud platform that unifies Dev and SOC teams with transparent, human-readable threat analysis, arming developers, DevSecOps, SOC analysts and threat hunters to confidently respond to software tampering and security incidents.
ReversingLabs data is used by more than 65 of the world’s most advanced security vendors and their tens of thousands of security professionals. ReversingLabs enterprise customers span all industries, leveraging integrations with popular DevSecOps and SOC platforms that give teams access to the analytics they need to deliver rapid security verdicts, eliminate threats, and publish software with confidence.
Gartner, Innovation Insight for SBOMs, By Manjunath Bhat, Dale Gardner, Mark Horvath, February 14, 2022
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the United States and internationally and is used herein with permission. All rights reserved.
Doug Fraim, Guyer Group
1 Tampering is defined as changes with malicious intent that can occur in the development pipeline independent of a vulnerability detection and remediation program.
A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/deb18366-0856-4de6-b67e-37de10377d77