Dimensional Research recently polled more than 300 technology professionals in the United States and Europe on the state of software supply chain security. The survey, sponsored by ReversingLabs, revealed growing alarm from teams charged with securing software across its lifecycle.
To reflect on and gain feedback from others in the industry, ReversingLabs' Paul Roberts and Matt Stephenson recently hosted a webinar to discuss the survey’s results — and to compare them to what attendees are seeing on their own security teams.
Here are key takeaways from the webinar discussion about the ReversingLabs Software Supply Chain Risk Survey.
[ Watch the webinar: Security Pros Reveal Top 7 Software Supply Chain Security Concerns | eBook: Why Traditional App Sec Testing Fails on Supply Chain Security ]
Extra, extra! Headlines matter
As is the case with application security and cybersecurity generally, threats to software supply chains advance at the speed of technological innovation, with bad actors becoming early adopters of new tools and technologies. On the question of supply chain risk, when Dimensional Research polled respondents on which software issues pose the biggest risk to their companies, the vast majority (82%) cited software that contains vulnerabilities. That reflects a longstanding focus on vulnerability management, which has been a standard app sec practice for the past two decades.
However, times are changing, and threat actors’ advancements and attacks have made headlines, creating an even greater awareness in the industry that threats extend beyond vulnerabilities. In the past six months, several major software supply chain security incidents have been reported, such as the software supply chain attack on CircleCI, which was the result of a secrets exposure, as well as the attack on 3CX, which was an example of highly targeted tampering.
The CircleCI and 3CX incidents, which happened after the survey was taken, garnered a lot of recent attention, but 2022 was an eye-opener for many, as noted in our special report The State of Software Supply Security 2022-23. In the webinar, attendees were asked to say which issues posed the biggest risk to their software supply chains. Concerns about the risks of software vulnerabilities were evenly distributed along with issues such as software tampering, secrets exposures, and malicious code — a likely reflection of the CircleCI and 3CX headlines.
Lack of trust in the software supply chain is pervasive
In addition to the industry becoming more aware of the various threats to software supply chains, security teams are increasingly wary of software sources that are targeted by threat actors. In Dimensional Research’s polling of professionals, the majority of respondents (70%) cited open-source software as a source of software security issues. This reflects the steep increase in attacks on open-source repositories in recent years. In ReversingLabs' analysis of the National Vulnerability Database (NVD), for example, researchers discovered that attacks on two popular repositories, PyPI and npm, increased by almost 300% over the last four years.
For many security practitioners, that figure put a spotlight on an equally vulnerable building block of software, third-party suppliers. Most webinar participants found third-party software to be a greater source of software security threats than open-source software.
During the webinar, Stephenson pointed out that this increased attention to third-party software risk speaks to a lack of trust in these services, which are fundamental to software supply chains. It would make sense that this increase in attention could be attributed to the supply chain attack on 3CX, which impacted customers reliant on the company’s 3CXDesktopApp.
Open-source software remains a significant source of risk
There was also strong agreement among both the survey respondents and the attendees of the webinar about which software sources yield security issues for organizations. As with the survey respondents, 70% of webinar attendees cited open-source software as a primary source of software issues in their software supply chains.
This merely reflects reality. ReversingLabs’ own research speaks to the sheer number of these attacks. From grand-scale operations such as the IconBurst attack, which was a widespread campaign to spread malicious data harvesting packages on npm, to stealthier incidents, such as attackers pushing malware on PyPI via legitimate open-source modules, ReversingLabs threat researchers have uncovered a number of incidents that display an array of techniques attackers use to take advantage of open-source repositories.
Maturity matters: The evolution of app sec
The ReversingLabs Software Supply Chain Risk Survey clearly indicates that the industry is moving in the right direction on software supply chain security. Identifying security teams' fears — and the risks and key factors that contribute to software supply chain attacks — is essential for the industry’s progress.
But software teams are facing growing supply chain complexity and threats. ReversingLabs Field CISO Matt Rose wrote as part of our Evolution of App Sec special report that threat actors aren't limited to compromising software repositories when attacking a software supply chain — and neither should defenders limit themselves to legacy app sec testing tools when protecting the software supply chain.
What’s needed next is action on how teams can mature their software supply chain security programs. This means making teams fully aware of the threats to look out for as well as supplying them with the modern tooling that best handles advanced threats.
Rose said a modern software supply chain security platform needs to protect both infrastructure and applications — and shift the emphasis from vulnerabilities to malware. Binary analysis allows deeper visibility for teams to ensure their software is secure by focusing on how code behaves, regardless of where it came from.
Software supply chain security needs to be recognized for what it has become: a separate discipline within the application security ecosystem.
—Matt Rose
[ Watch the Webinar: Security Pros Reveal Top 7 Software Supply Chain Security Concerns | eBook: Why Traditional App Sec Testing Fails on Supply Chain Security ]
Keep learning
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.