IDC research looks at software supply chain security

A general lack of readiness has contributed to a precipitous increase in software supply chain attacks, and every organization building software is a potential target. Consequently, every organization must be diligent to avoid being the next victim of a high-profile breach. To help raise awareness of software supply chain security and inform organizations about what they can be doing to protect their software supply chain, International Data Corporation (IDC) has recently published a series of reports on the topic.

Software supply chain security aims to secure the components and activities that go into developing and deploying an application, such as people, processes, dependencies, and tools. Software supply chain security differs from traditional application security, which focuses on tools, technologies, and automated processes used to identify, fix, and protect software against vulnerabilities that could impact the application at run-time.

Most organizations are unaware of their exposure and are inadequately protected, leaving them prone to supply chain attacks. In a recent DevSecOps survey, IDC found that less than 30% of respondents identified a vulnerable software supply chain as one of their top security gaps or exposures, and 23% indicated that they experienced some form of software supply chain breach, a 241% increase from the prior year.

Bad actors now recognize that the software supply chain is a soft target. They are becoming more sophisticated in hiding from detection, growing more patient and subtle, and taking time to learn about the environment before attacking. These adversaries could be nation-states or rogue hackers with criminal or malicious intent. They will try to target a company, either directly or as collateral damage, via its application software supply chain.

Over the past several years, numerous software supply chain breaches have occurred. Some well-known breaches include SolarWinds, Codecov, Kaseya, PyTorch, Applied Materials, and the recent 3CX business phone system attack. While these were all software supply chain attacks, the bad actors all used disparate techniques to attack the supply chain. One of the biggest hurdles in securing the software supply chain is recognizing and identifying all the means of exploitation.

“There has been an exponential increase in software supply chain breaches in recent years as malicious actors recognize that the software supply chain provides access to proprietary source code, build processes, or other automated update mechanisms, making it easy to infect DevOps pipelines and applications as well as the ability to move laterally across an organization to access customer data,” said Jim Mercer, research vice president, DevOps and DevSecOps, IDC. “This growing threat of software supply chain attacks should compel organizations to examine their application software supply chains and do what they must to harden them to avoid being breached.”

The rise in attacks on the software supply chain is also compelling the U.S. Federal Government to use its purchasing power to raise security standards through actions such as the May 2021 Executive Order 14028 and the March 2023 National Cybersecurity Strategy. These governmental actions have created a flurry of activity around building and tracking software bill of materials or SBOMs.

“The SBOM has been all the rage since the Executive Order, but both quantitative and qualitative data suggest that organizations are struggling with implementing the practices and tools necessary to make the use of SBOMs actionable, helping to secure their software supply chains,” said Katie Norton, senior research analyst, DevOps and DevSecOps practices at IDC. “However, an ecosystem of frameworks, projects, and tools is forming to help organizations establish a strategy surrounding SBOMs that can set them up for success when the next Log4J or government regulation comes around.” IDC