FOR IMMEDIATE RELEASE
Software Tampering Emerges as an Invisible Risk Among Respondents; 87 Percent Recognize the Dangers, Yet Only 37 Percent Capable of Detection
CAMBRIDGE, MASS., June 1, 2022 - Global research commissioned by ReversingLabs, the leader in software supply chain security, and conducted by Dimensional Research, revealed that software development teams are increasingly concerned about supply chain attacks and tampering, but barely a third said they can effectively vet the security of developed and published code for tampering.
Dimensional Research surveyed more than 300, global IT and security professionals. Respondents included executives, technology, and security professionals at software enterprises both large and small representing all seniority levels and with digital product or leadership responsibilities.
Despite being aware of the dangers of publishing vulnerable software, the survey found, companies continue to put themselves at risk for software supply chain attacks.
Key findings of the survey include:
- Companies are rolling the dice with software releases. Among survey respondents, 54 percent said their firm knowingly releases software with potential security risks.
- Third party code increases supply chain risk. Nearly every respondent (98 percent) reported that third party software use including open-source software increases security risks. However, just over half (51 percent) report being able to protect their software from supply chain attacks.
- Software tampering is real, but it’s invisible: 87 percent of security and technology professionals agree that software tampering is a new vector with breach opportunities for bad actors, but only 37 percent indicate they have a way to detect it across their supply chain.
- Of those that can detect software tampering, just seven percent do it at each phase of the software development lifecycle, and just 1 in 3 actually check for tampering once an application is final and deployed.
“Executives are acutely aware of software supply chain risks,” said Mario Vuksan, CEO and Co-Founder, ReversingLabs. “That’s not surprising, given the visibility of high profile attacks and the US administration’s directive to set baseline security standards for software sold to the government. We can be confident that organizations recognize that software risks extend beyond vulnerabilities and malware, and that tampering threats represent a growing attack vector opening them up to new risks. Unfortunately, most are still behind in their ability to address tampering.”
The survey also revealed that executives are open to adopting tools like software bills of materials (SBoMs) to help them manage the complex task of monitoring and detecting supply chain compromises and risks. More than three quarters of those surveyed (77 percent) said they appreciate the value of an SBoM as a way to test for tampering. However, most companies fail to generate and review SBoMs. Respondents said the complexity and prevalence of tedious, manual processes for creating SBoMs were obstacles. So too were the lack of best practices, processes, and tools, combined with a lack of expertise.
Other findings of the survey:
- Only 27 percent of companies currently generate and review SBoMs, and 90 percent indicated increasing difficulty to create and review SBoMs.
- Nearly half of respondents reported SBoM generation and review processes involve manual steps.
- Lack of expertise (44 percent) and inadequate staffing to review and analyze SBoMs (44 percent) were the leading reasons behind companies’ inability to generate and review an SBoM.
“Respondents recognize that tooling and automation is necessary for the detection of tampering at all phases of the software development process. Still, they struggle to advance it in practice,” observed Vuksan. “As new solutions become available that provide insight into developed code and that can detect tampering before public distribution, organizations can take steps to properly manage their software supply chain risk, and ensure that their code isn’t a victim of tampering by sophisticated cyber actors. ReversingLabs leads the way today, helping development teams improve the secure quality of software releases and providing security operations teams the necessary visibility to be more proactive in incident response and threat hunting processes.”
According to the 2022 Gartner® report titled, Innovation Insight for SBOMs, “software supply chain security attacks have exposed the risks associated with commercially procured tools and platforms because you don’t know what’s “inside the box.” Gartner research goes on to say that “while reusable components and open-source software have simplified software development, this simplicity has exposed a critical visibility gap: Organizations are unable to accurately record and summarize the massive volume of software they produce, consume and operate. Without this visibility, software supply chains are vulnerable to the security and licensing compliance risks associated with software components.”
Companies Lack Tools to Detect Software Tampering, Supply Chain Hacks
ReversingLabs full report, Flying Blind: Software Firms Struggle To Detect Supply Chain Hacks, covering the survey results, is available immediately. To learn more about the findings access the overview and infographic.
Early Access to ReversingLabs secure.software
In 2021 ReversingLabs launched its Managed Software Assurance Service to protect the software development and release process from sophisticated software supply chain attacks. The service provides threat research-led analysis and security interpretation of software package security quality, audit tracking, and remediation. ReversingLabs is incorporating this service within its soon to be released ReversingLabs secure.software solution and will be demonstrating these capabilities at the RSA Conference taking place June 6-9 at San Francisco’s Moscone Center. To learn more visit ReversingLabs at Booth #4429, or sign up for early access to ReversingLabs secure.software at https://secure.software.
ReversingLabs secure.software, provides software supply chain security protection for CI/CD workflows, containers, and release packages. It is the only integrated platform that detects high-risk threats, malware, backdoors, exposed secrets, and software tampering across the software development cycle. Organizations and DevSecOps teams producing software are empowered to prevent modern software supply chain attacks from reaching production or customer environments, without impacting developer productivity and at the speed needed to keep release cycles on time.
ReversingLabs empowers modern software development and security operations center teams to protect their software releases and organizations from sophisticated software supply chain security attacks, malware, ransomware and other threats.
The ReversingLabs Titanium Platform analyzes any file, binary or object including those that evade traditional security solutions. It’s a hybrid-cloud, privacy centric, platform that unifies Dev and SOC teams with transparent and human readable threat analysis, arming developers, DevSecOps, SOC analysts and threat hunters to confidently respond to software tampering and security incidents.
ReversingLabs data is used by more than 65 of the world’s most advanced security vendors and their tens of thousands of security professionals. ReversingLabs enterprise customers span all industries, leveraging integrations with popular DevSecOps and SOC platforms that enable teams to access the analysis they need to make quick security verdicts, eliminate threats, and release software with confidence.
Gartner, Innovation Insight for SBOMs, By Manjunath Bhat, Dale Gardner, Mark Horvath, 14 February 2022
Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.