A general lack of readiness has contributed to a precipitous increase in software supply chain attacks, and every organization building software is a potential target. Consequently, every organization must be diligent to avoid being the next victim of a high-profile breach. To help raise awareness of software supply chain security and inform organizations about what they can be doing to protect their software supply chain, International Data Corporation (IDC) has recently published a series of reports on the topic.
Software supply chain security aims to secure the components and activities that go into developing and deploying an application, such as people, processes, dependencies, and tools. Software supply chain security differs from traditional application security, which focuses on tools, technologies, and automated processes used to identify, fix, and protect software against vulnerabilities that could impact the application at run-time.
Most organizations are unaware of their exposure and are inadequately protected, leaving them prone to supply chain attacks. In a recent DevSecOps survey, IDC found that less than 30% of respondents identified a vulnerable software supply chain as one of their top security gaps or exposures, and 23% indicated that they experienced some form of software supply chain breach, a 241% increase from the prior year.
Also Read: CSC Launches Groundbreaking Domaincasting Digital Blocking Network
Bad actors now recognize that the software supply chain is a soft target. They are becoming more sophisticated in hiding from detection, growing more patient and subtle, and taking time to learn about the environment before attacking. These adversaries could be nation-states or rogue hackers with criminal or malicious intent. They will try to target a company, either directly or as collateral damage, via its application software supply chain.
Over the past several years, numerous software supply chain breaches have occurred. Some well-known breaches include SolarWinds, Codecov, Kaseya, PyTorch, Applied Materials, and the recent 3CX business phone system attack. While these were all software supply chain attacks, the bad actors all used disparate techniques to attack the supply chain. One of the biggest hurdles in securing the software supply chain is recognizing and identifying all the means of exploitation.
“There has been an exponential increase in software supply chain breaches in recent years as malicious actors recognize that the software supply chain provides access to proprietary source code, build processes, or other automated update mechanisms, making it easy to infect DevOps pipelines and applications as well as the ability to move laterally across an organization to access customer data,” said Jim Mercer, research vice president, DevOps and DevSecOps, IDC.
SOURCE: Businesswire