- As the software industry struggles to recover from a supply chain security crisis, a research study shows industry executives are saying the right things, but doing very little to back up the rhetoric with decisive action to ensure vendor security.
- About 94% of IT and development executives agreed that software vendors should have consequences, including fines and increased legal liability, for failing to secure their build process, according to a study by Venafi released Tuesday. The survey of more than 1,000 IT and development professionals included 193 executives that are tasked with both security and software development.
- However, most respondents have done little to increase the scrutiny of the software purchasing process. Respondents are also divided over which side of the aisle is responsible for software security, with 48% saying IT security is responsible, while 46% say development teams are responsible.
The disconnect between the rhetoric and the performance in the software development and security industries are part of an internal debate about which sector should take the lead, according to a key security researcher at Venafi.
The survey shows 97% of respondents agree that the software providers need to improve the security of their build and code signing process. In addition, 96% agree software providers need to guarantee the integrity of code included in software updates.
However, the report shows the industry has done little to back up those words with specific changes in how they police their practices.
More than half of respondents said the nation-state attack on SolarWinds had no impact on any concerns they had about using software. The SolarWinds attack involved a process of inserting malware into the Orion platform through a backdoor.
"The entire technology industry needs to change the way we build and buy software," Kevin Bocek, VP of security strategy and threat intelligence at Venafi. "Much of the disconnect comes from the significant confusion related to who’s responsible for software pipeline security."
The research follows several major attacks that exposed weaknesses in the software supply chain, since late 2020. In July, a ransomware attack by REvil targeted the Kaseya remote monitoring platform. The Biden administration said it would make software security a priority after the SolarWinds attack.