Image Credit: Getty Images

Coalfire released a report on Software Supply Chain Risk. The study reveals budget increases, and growing enterprise demand for more testing, training and process improvements to better protect digital assets in consideration of the gravity of software supply chain risk. 

The survey of 300 respondents from both software buying and software producing companies captures the impact of recent cyber events such as President Biden’s Executive Order (EO) on cybersecurity, and COVID-19 related procurement delays. The report reveals what actions companies are taking to address these challenges.

Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity” pushes agencies to adopt zero trust cybersecurity principles and adjust their network architectures accordingly. Sounil Yu, chief information security Officer at JupiterOne said, “Security teams need to know what they are defending. When vulnerabilities are discovered, a Software Bill of Materials (SBOM) helps security teams begin assessing their exposure to those vulnerabilities and immediately take action.” Yu continued, “Without an SBOM, the timeline for fixing those vulnerabilities can stretch into months or years because security teams have to wait for notification from each supplier.”

An SBOM is a kind of packing slip listing the packages and libraries that went into your application, as well as the relationship with other applications. This is crucial in a zero-tolerance atmosphere.

Executive-level awareness increasing

The report summarizes the gravity of software supply chain risk and provides best practices for software buyers and sellers to effectively mitigate threats. More than 50% of boards of directors with software-buying companies are raising concerns, which might indicate that responsibility for software supply chain risk is no longer confined to technical teams.

Fifty-nine percent of software developers report their customers have experienced purchase delays of up to three months due to code provenance concerns – how and where it was produced, who owned it, where it was stored – especially regarding software coded in foreign countries.

Given the Software Bill of Materials (SBOM) requirements within the President’s EO, 54% of organizations are re-focusing on the Software Development Life Cycle (SDLC). Corporate leaders are planning to invest heavily in software supply chain risk management, with over one-third likely to allocate at least 10% of their application security budget to supply chain-specific processes.

“With 71% of respondents reporting that devops is now leading digital supply chain decision-making, we’ve clearly reached a turning point in the evolution of security management,” said Coalfire’s vice president of product strategy, Dan Cornell. “It’s great news for software buyers, as this shift will ultimately create stronger applications with fewer vulnerabilities.”

Joshua Corman, former chief strategist of the CISA COVID-19 Task Force, founder of I Am The Calvary, and author of the report’s foreword said, “Strength in applications is crucial to building and maintaining trust between software developers and software buyers or operators. The trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is — and to the consequences we will incur if that trust is misplaced.”

Third-party testing is an increasingly attractive option for managing supply chain security risks because internal testing across the full breadth of today’s enterprise supply chain often requires additional headcount with high skills and high pay.