Facing a Growing Threat, More Than 70 Percent Confirm that Current Application Security Solutions Fail To Protect Companies From Software Supply Chain Security Risks
CAMBRIDGE, MASS., April 20, 2023 - Global research commissioned by ReversingLabs, the market leader in software supply chain security, and conducted by Dimensional Research, revealed evidence that organizations recognize, and have been impacted by, software supply chain security threats. The ReversingLabs Software Supply Chain Risk Survey found that nearly 90 percent of technology professionals detected significant risks in their software supply chain in the last year. More than 70 percent said that current application security solutions aren't providing necessary protections.
“There is a growing awareness among organizations that threats to the software supply chain present undeniable risks to their business, as demonstrated by 96 percent of respondents who agree that a comprehensive software supply chain security solution is important to detect software threats beyond vulnerabilities,” said Mario Vuksan, CEO and Co-founder, ReversingLabs. “Additionally, gaps in current application security tools mean that companies must explore software supply chain security options that enable them to securely release applications, safely procure software and quickly identify and respond to threats.”
Dimensional Research surveyed more than 300 global executives, technology, and security professionals at all seniority levels directly responsible for software at enterprise companies. The ReversingLabs Software Supply Chain Risk Survey set out to identify the sources of software supply chain security issues across internally developed, open source, third party and commercial software, as well as the frequency of these issues. Through the research, ReversingLabs also sought to investigate the maturity of organizations’ software supply chain security program; the tools currently used; and the perceived value of those tools in addressing the security of the software supply chain.
Key findings of the ReversingLabs Software Supply Chain Risk Survey include:
Software Supply Chain Issues Fuel Ongoing Business Risk
Nearly all respondents (98 percent) recognized that software supply chain issues pose a significant business risk, citing concerns beyond code with vulnerabilities, secrets exposures, tampering and certificate misconfigurations. Interestingly, more than half of technology professionals (55 percent) cited secrets leaked through source code as a serious business risk followed by malicious code (52 percent) and suspicious code (46 percent). Recent public attention on secrets exposure from CircleCI and other breaches has heightened awareness of this emerging issue. Software tampering was cited by 38 percent of professionals in the study as a serious risk. The disclosure of the recent 3CX supply chain attack may drive more attention to that issue.
These sources of risk led to problems for the majority of respondents: almost nine out of 10 companies detected security or other software issues in their software supply chain in the last 12 months. While open source software has long been viewed as the main culprit for software supply chain security issues, the research reveals that internally developed software (47 percent) is nearly tied with open source (49 percent) for the leading source of software issues, followed by commercial software (30 percent).
Enterprises Lack Control of the Software Supply Chain…and They Know It
Despite the prevalence of software supply chain risks, most enterprises are ill-equipped to identify and mitigate those risks, according to the findings of the survey.
Survey participants overwhelmingly (88 percent) recognized that software supply chain security is an enterprise-wide risk, but only six out of 10 felt their software supply chain defenses were up to the task. Acknowledging the issue, 80 percent disclosed that their company is directly focused on improving security for the software supply chain.
The complexity of modern software development is partly to blame. For example, more than half of companies developing software that responded to the survey said they used contractors and third-party development companies as part of their software development process. The reliance on third parties increases cyber risk. In fact, according to the World Economic Forum’s Global Cybersecurity Outlook 2022, indirect cyberattacks—successful breaches coming into companies through third parties—increased to 61 percent from 44 percent in the last several years.
Application Security Solutions Leave Gaps in Software Supply Chain Protection
The lack of proper tools may be exacerbating software supply chain risk. Almost three quarters (74 percent) of professionals surveyed agreed that traditional application security solutions, including software composition analysis (SCA), static application security testing (SAST) and dynamic application security testing (DAST), are ineffective at protecting companies from modern software supply chain threats.
Application security testing and software composition analysis solutions are important components of software supply chain security. However, they only address specific risks such as software vulnerabilities, while leaving gaps. Companies recognize these solutions alone, or even in combination, are not enough, and nearly all agree (96 percent) that a dedicated software supply chain security solution is very important, enabling teams to securely control the release of software via the detection of software supply chain threats, malware, malicious behaviors, tampering and secrets exposures.
Wanted: Dedicated Software Supply Chain Security
Further defined to respondents, software supply chain security is described as going beyond SCA solutions that only provide open-source licensing compliance and vulnerability detection, and SAST and DAST solutions that analyze source code quality for vulnerabilities.
“Software supply chain security needs to be recognized as a separate discipline within the application security ecosystem,” continued Vuksan. “There is evidence the market agrees. In fact, more than half of survey respondents indicated they are already allocating budget specifically for software supply chain security tools, suggesting they recognize the present threat and see it as a uniquely defined category. We expect this trend to continue and grow even more in the coming months.”
Software supply chain risks demand evolved application security capabilities that confront the full spectrum of challenges introduced by internally developed, open source- and third party components, commercial software, and binary misconfigurations. ReversingLabs comprehensive Software Supply Chain Security platform surpasses just addressing vulnerabilities and license compliance issues in open source components, providing inspection of internally developed binaries, commercial and third-party code and identifying malware, malicious behaviors, misconfigured certificates, evidence of tampering, version differencing, and secrets detection and prioritization.
To learn more about today’s findings, read the report highlights blog post or see the Webinar, Revealing the Biggest Concerns About Software Supply Chain Security, which is on-demand. Also, see the three-minute demo and learn more about ReversingLabs Software Supply Chain Security Platform.
ReversingLabs protects the modern enterprise from sophisticated software supply chain security attacks, malware, ransomware, and other threats.
The ReversingLabs Software Supply Chain Security platform analyzes any file, binary, or software package, including those that evade traditional security solutions. The hybrid-cloud, privacy centric platform democratizes insights across the enterprise, enabling development teams to securely release applications; third-party risk teams to safely procure software; and security operations teams to monitor, isolate and quickly respond to threats.
ReversingLabs data is used by more than 65 of the world's most advanced security vendors and their tens of thousands of security professionals. ReversingLabs enterprise customers span all industries, leveraging integrations with popular DevSecOps and SOC platforms that enable teams to access the analysis they need to make quick security verdicts, eliminate threats, and release software with confidence.
Guyer Group – Doug Fraim