Press ReleaseDevice & IoTThreat Detection & Defense

Majority of Organisations Impacted by Software Supply Chain Attacks Over the Past Year

The majority of global organisations (54%) suffered a software supply chain attack over the past year, and most are unable to keep up with the growing risk landscape. This is according to “The State of Software Supply Chain Security Risk” report, released today by Synopsys, Inc.(Nasdaq: SNPS) and the Ponemon Institute, which also found that 50% of organisations took more than a month to respond to an attack. One in five say that their organisation is not effective in its ability to detect and respond to these attacks.

The data also shows that AI is becoming ubiquitous across the software development life cycle. The majority of security professionals (52%) say their development teams leverage AI tools to generate code, specifically, OpenAI Codex (50%), ChatGPT (45%) and GitHub Copilot (43%). While the use of AI creates efficiencies by automating decision-making, findings indicate that concerningly few protections are put in place. Only a third (32%) of organisations have processes to evaluate AI-generated code for license, security, and quality risks.

Survey respondents also cited a worrisome lack of commitment from decision-makers when mitigating these issues. Only 39% say their organisation’s leaders are highly committed to reducing the risk of malware in software supply chains. Even though 45% of security professionals say supply chain compromises such as SolarWinds have led to increased investment in software supply chain security, only 38% say resources dedicated to securing the supply chain are sufficient or very sufficient.

“Supply chain attacks are becoming more prevalent across organisations globally, yet this report highlights the sustained weaknesses in existing software development processes and security standards,” said Jason Schmitt, general manager, Synopsys Software Integrity Group. “Attackers are getting more sophisticated and thus finding more weaknesses that allow them to explore a supply chain where they can steal sensitive data, plant malware, and control systems. Particularly with the rise of AI-generated code, security teams need to maintain visibility into applications, and continuously evaluate IP, security threats, and code quality to reduce risk.”

Additional key findings include:

  • Organisations forgoing SBOM implementation: Software Bills of Materials (SBOMs) are critical to ensuring a secure software supply chain but only 35% of security professionals say their organisations produce them. Furthermore, only 40% say they immediately stop the use of software if the supplier doesn’t provide a requested SBOM. The main reasons organisations generate SBOMs are general dependency and vulnerability management (50%), industry regulations (39%), customer requirements (38%), and government requirements (38%).
  • Open source vulnerabilities remain a huge risk: Nearly two-thirds (65%) of respondents say they use open source software, although less than half of respondents (47%) say their organisations are very or highly effective in securing it in the supply chain.

To learn more, download a copy of “The State of Software Supply Chain Security Risks” report, read the blog post or register for the May 23 webinar.

Methodology

The survey collected responses from 1,278 IT and IT security practitioners who are in organisations that are committed to achieving a secure software supply chain and have some level of responsibility for their organisations’ software supply chain security strategy. The regions and countries in this research are North America (613 respondents), EMEA (362 respondents), and Japan (303 respondents).

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *