当前位置:网站首页>be careful! Software supply chain security challenges continue to escalate

be careful! Software supply chain security challenges continue to escalate

2022-07-05 14:27:00 Seal security

Software supply chain security is in its infancy

software company ActiveState I did a survey on the security of open source software supply chain , This includes the security of open source components , And the security and integrity of key software development processes . It turns out that , Software supply chain security is still in its infancy .


Protecting software supply chain security includes vulnerability remediation and implementing control measures throughout the software development process . Key development processes include :

  • Import – Use third-party tools 、 library 、 code snippet 、 Whether the process of introducing packages and other software resources into the organization is safe ?

  • structure – Whether the process of assembling and building open source artifacts from source code is safe ?

  • function – The organization is developing 、 Processing in test and production environments 、 Test and run whether the process of building artifacts is safe ?


The survey received a total of 1500 Multiple developers 、 Replies from security professionals and open source leaders , The survey results show that the software industry supply chain security is still in its infancy . Here's the thing to watch , Yes 32% Of enterprises store the source code in the open source code base , They cannot provide any guarantee for the security and integrity of the software they provide , Low level of construction repeatability , Therefore, the security of any content built by the source code is worrying .



Software supply chain security is still a pain point for enterprises

meanwhile Venafi For those from different enterprises around the world 1000 position CIO Conduct research , among 82% Percent said their organization is vulnerable to cyber attacks against the software supply chain .


Cloud native development and adoption DevOps Processes lead to efficient development , Make the software supply chain security challenges more complex . meanwhile , suffer SolarWinds and Kaseya The impact of such a large attack , Attackers are stepping up attacks on the software construction and distribution environment . In the past year , The number of these attacks has soared , Complexity is unprecedented , Serious business interruption caused by software supply chain attack 、 Loss of income 、 Data theft and damage to customers' interests . therefore , Software supply chain security began to suffer CEO We and our board of directors pay close attention to , It has also become the focus of attention .


Main findings :

  • 87% Of CIO Think , Software engineers and developers make concessions and compromises in security policies and controls , In order to bring new products and services to the market faster .

  • 85% Of CIO Means the board of directors or CEO Special emphasis should be placed on strengthening the security of the software construction and distribution environment .

  • 84% Of respondents said , The budget for software development environment security has increased over the past year .


In the context of digital transformation , Various enterprises have begun to carry out software development . therefore , Software development environment has become a huge target for malicious attackers . Hacker discovery , Attack on software supply chain , Especially attacks against machine identity , It can bring great benefits to hackers .


In these types of attacks , There are dozens of ways to destroy the development environment , Including the use of Log4j And other open source software components . Worryingly, developers are currently focused on innovation and development speed , Not security , The security team lacks sufficient knowledge and resources to help the development team deal with and solve security problems .


exceed 90% Our software applications use open source components , The dependencies and vulnerabilities associated with open source software are extremely complex . CI/CD and DevOps Pipeline structure can improve the development efficiency of developers , But that doesn't mean it's safer . In the process of promoting faster innovation , The complexity of open source and the speed of development limit the effectiveness of software supply chain security control .



CIO Our awareness of safety is awakening

In addition, the survey results also show ,CIO People have begun to realize that they need to improve the security of the software supply chain :

  • 68% Of enterprises are implementing more security controls

  • 57% Of enterprises are updating their audit process

  • 56% Companies are expanding the use of code signatures , This is the key security control of software supply chain .

  • 47% Of enterprises are studying the source of their open source libraries

Although enterprises began to pay attention to software supply chain security , But it is still difficult to determine the exact location of the risk , Which improvements provide the greatest security improvements , And how these changes reduce risk over time . Maybe we can't use the existing methods to solve these problems , But we need to think about the identity and integrity of the code we are building and using in different ways , Thus, the software security can be effectively and efficiently protected at every step of the development process .

原网站

版权声明
本文为[Seal security]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/186/202207051420123425.html

随机推荐