Companies scramble to cover software supply chain security gaps: 3 key survey takeaways

The cyber risks posed by vulnerabilities in the internal, open-source and third-party software that make up modern supply chains are a source of intense concern for both development teams and security operations centers, according to a recent Dimensional Research survey more than 300 IT professionals commissioned by ReversingLabs.

The ReversingLabs Software Supply Chain Risk Survey polled executives and IT professionals responsible for software at enterprise-scale companies. Respondents were split between North America (67%) and Europe (33%), with most saying they work in the technology (19%), financial services (13%), healthcare (9%) and telecommunications (8%) industries.

The findings underscore a growing alarm over the protection gap within both software development firms and their customers as software supply chain attacks and breaches, such as the 2020 SolarWinds attack and the more recent compromise at voice over IP (VoIP) vendor 3CX, become more common.

Here are three key insights from the ReversingLabs Software Supply Chain Risk Survey.

See survey infographicReplay: Webinar on the Supply Chain Risk SurveyGet eBook: Why Traditional App Sec Testing Fails on Supply Chain Security

1. Software supply chain risks are a major issue

The risks posed by the software supply chain looms large for most survey respondents.

Eighty-eight percent of respondents said software supply chain security presented an “enterprise-wide risk” to their organizations, while nearly two thirds (65%) said their organizations' software supply chain security program wasn't as mature as it should be.

Eighty-seven percent said their company detected software issues in its software supply chain in the last 12 months. Those risks came from several sources, including internally developed software, software licensed from third-party suppliers, and open-source software.

Most organizations focus on vulnerabilities when assessing software supply chain risk, but understanding of the cyber risk is broadening. Asked what issues pose the biggest business risk to their organizations, 82% of respondents cited software containing vulnerabilities, and 55% said the exposure of secrets such as sensitive information, access tokens and credentials in software code, followed by secrets in malicious code (52%), and suspicious code (46%) that had been inserted into applications.

Software vulnerabilities in code were the most common issue survey takers reported, with 65% having encountered them in the last 12 months. But they also cited certificate misconfigurations (37%), exposed secrets (25%) and suspicious code (24%).

2. Supply chain risk goes beyond open source

The complexity of software supply chain security reflects the complexity of modern software development itself. Most respondents said their organizations rely on non-employees to help them develop software, including contractors (67%) and third-party software development firms (59%). And their organizations rely on internally developed (82%), commercial (79%) and open-source (74%) code in about equal measure.

When asked to name the source of software security issues such as tampering, vulnerabilities and malicious code, 70% cited open-source software. Far fewer cited internally developed software (59%) or software developed by contractors and third parties (57%).

But when asked to reflect on the issues within their own organizations, 47% said internally developed software was a major source of issues affecting their software supply chain — nearly as many as the 49% who named open-source software.

3. Companies are retooling to secure the software supply chain

Despite the prevalence of supply chain risk, enterprise defenses for supply chain risks and threats are not where they should be. Asked whether their organizations' software supply chain security programs were “as mature as it should be,” nearly two thirds of respondents (65%) said no.

That could be the result of a tooling gap. Existing application security technologies such as static and dynamic application security testing (SAST and DAST) focus on the problem of identifying software vulnerabilities in code under development. Software composition analysis (SCA) technology — another common application security tool — uses an inventory of the open-source modules used in enterprise code bases to root out issues related to licensing, compliance and code quality.

Both technologies are in wide use. More than half (54%) of respondents said their organizations use SAST technology, 42% use DAST and 40% use SCA tools. But most survey respondents said these legacy technologies aren’t adequate to address the full spectrum of supply chain risks. Asked whether SAST, DAST and SCA solutions “fully protect companies from current software supply chain threats,” nearly three quarters (74%) said no.

Enterprises are already taking steps to address the gaps. Eighty percent of respondents said their organizations had initiatives under way to improve software supply chain security. The exact shape those initiatives will take isn’t clear, but 70% said solutions to mitigate software supply chain threats were “extremely” or “moderately” important.

Rising awareness is driving supply chain security changes

Current events are likely to drive even more attention to supply chain threats and attacks. Respondents showed a strong interest in supply chain security technologies before the recent revelations of a supply chain attack on the voice over IP firm 3CX, which led to compromises at several of the company’s customers.

Some of these attacks may be preventable. For example, a ReversingLabs analysis of the compromised software update to 3CX’s Windows and Mac OS desktop clients revealed clear signs of tampering. Had 3CX detected those signs in advance, it never would have released the update to customers.

Incidents such as SolarWinds and 3CX have raised awareness of software supply chain risks, including threats posed by software tampering, malicious code and secrets exposure from public and private code repositories. Those high levels of awareness are just the beginning of what's likely to be a much larger transformation in how enterprises handle software supply chain security.

See survey infographicJoin May 17 Webinar on the Supply Chain Risk SurveyGet eBook: Why Traditional App Sec Testing Fails on Supply Chain Security