Software supply chain attacks are an enterprise-wide risk, and traditional application security testing tools are leaving organizations exposed — and mired in outdated security strategies. These are the key findings of a recent survey of 321 IT professionals, conducted by Dimensional Research.
What does this mean for your organization? The tooling gap — and a lack of maturity in approach — is leaving companies exposed to the increasing risks highlighted by recent attacks, including those on 3CX and CircleCI.
Chris Wilder, research director at TAG Cyber, reviewed the survey's findings with ReversingLabs field CISO Matt Rose. Their analysis is included in a new report, the Software Supply Chain Security Risk Report.
Here are key highlights from the report — and an explanation of why you need to upgrade your AppSec tools and supply chain security approach.
[ Get report: Software Supply Chain Security Risk Report | See related Webinar: Does Your Organization Understand Its Software Supply Chain Risk? ]
Traditional AppSec tools alone don’t cut it
Tools such as static and dynamic application security testing (SAST and DAST) and software composition analysis (SCA) are effective in detecting threats in software applications such as exploitable software vulnerabilities or dependencies. However, these legacy AppSec tools focus on open-source and source-code analysis, overlooking the risk posed by modern software supply chain attacks, including active malware, secrets, and tampering.
This gap in tooling has become a reality for enterprises today. In the Dimensional Research survey, 74% of IT and security professionals reported that tools such as SAST, DAST, and SCA aren’t adequate in fully protecting their organizations from software supply chain threats. This signifies that security teams currently need more comprehensive tools to handle software supply chain attacks.
The attacks on 3CX and CircleCI showcased that organizations need to go beyond vulnerability management in their efforts to secure their software supply chain and manage risk. This represents a fundamental shift in the requirements for application security tools.
The software supply chain is increasingly complex
In addition to the problem traditional AppSec tools missing the mark, the survey found that the increased complexity of development environments posed security risks to organizations. Nearly half of respondents said that their organization’s internally developed and open-source software are sources of risk.
Open-source software, which is used in an estimated 97% of all applications, has become a clear risk to supply chains this past year, with the amount of attacks on the open-source repositories npm and PyPI increasing by about 300% over the past four years.
What has received less attention however, is how internally developed software has become more complex, with increasing reliance on external contractors and third-party platforms and code to streamline development processes. This supply chain complexity adds to the challenges security teams are facing.
The lack of effective tools for detecting supply chain attacks is having very real consequences for enterprises this year. Nearly 9 in 10 of the practitioners surveyed said that their companies have detected security issues in their software supply chains in the last 12 months. And 88% said software supply chain security presents an enterprise-wide risk to their organizations.
Upgrade your AppSec tooling
Despite the sobering statistics on risk, nearly two-thirds of the survey respondents (65%) reported that their organization does not have a mature software supply chain security program. This likely contributes to the overwhelming number of organizations that have dealt with security issues in their supply chains this past year.
The report highlights the new requirement for tools that fully analyze the security of a software package before it ships. This means that teams should deploy a security tool that pinpoints the possible risks in the version of a software package or container to be deployed in production or delivered to customers.
Modern tooling that utilizes binary analysis is the best method to go about finding these risks, the report finds. Binary analysis can also provide a comprehensive software bill of materials (SBOM), which can serve as a guide for identifying software risks in a software package.
Rose outlines in the report why modern AppSec tooling that goes beyond vulnerabilities and source code analysis is key.
"It’s not about doing a runtime analysis to see what the application is doing from a functional standpoint — you’re programmatically reverse engineering it down to the most granular level to say, 'Here’s everything this application does. Is this what’s expected?'"
—Matt Rose
Supply chain security maturity: A new requirement
Upgrading your tools is just a starting point for organizations looking to develop more mature software supply chain security programs. Wilder and Rose write that for security teams to successfully manage software supply chain security, they cannot go at it alone.
The report recommends that software development teams, application security. risk and compliance, the security operations center (SOC), and others all need to play a part in securing an organization's software supply chain.
Wilder, the main author of the new Software Supply Chain Risk Report, argues that taking a modern approach to software supply chain security is now a requirement for managing risk.
“[Companies must] adopt a proactive, holistic approach to software supply chain security that goes beyond vulnerability management and detection to include comprehensive visibility into supply chain risks, consistent threat remediation, and an enterprise-wide approach to risk management.”
—Chris Wilder
[ Get report: Software Supply Chain Security Risk Report | See related Webinar: Does Your Organization Understand Its Software Supply Chain Risk? ]
