NEEDHAM, Mass. June 15, 2023 – A general lack of readiness has contributed to a precipitous increase in software supply chain attacks, and every organization building software is a potential target. Consequently, every organization must be diligent to avoid being the next victim of a high-profile breach. To help raise awareness of software supply chain security and inform organizations about what they can be doing to protect their software supply chain, International Data Corporation (IDC) has recently published a series of reports on the topic.
Software supply chain security aims to secure the components and activities that go into developing and deploying an application, such as people, processes, dependencies, and tools. Software supply chain security differs from traditional application security, which focuses on tools, technologies, and automated processes used to identify, fix, and protect software against vulnerabilities that could impact the application at run-time.
Most organizations are unaware of their exposure and are inadequately protected, leaving them prone to supply chain attacks. In a recent DevSecOps survey, IDC found that less than 30% of respondents identified a vulnerable software supply chain as one of their top security gaps or exposures, and 23% indicated that they experienced some form of software supply chain breach, a 241% increase from the prior year.
Bad actors now recognize that the software supply chain is a soft target. They are becoming more sophisticated in hiding from detection, growing more patient and subtle, and taking time to learn about the environment before attacking. These adversaries could be nation-states or rogue hackers with criminal or malicious intent. They will try to target a company, either directly or as collateral damage, via its application software supply chain.
Over the past several years, numerous software supply chain breaches have occurred. Some well-known breaches include SolarWinds, Codecov, Kaseya, PyTorch, Applied Materials, and the recent 3CX business phone system attack. While these were all software supply chain attacks, the bad actors all used disparate techniques to attack the supply chain. One of the biggest hurdles in securing the software supply chain is recognizing and identifying all the means of exploitation.
“There has been an exponential increase in software supply chain breaches in recent years as malicious actors recognize that the software supply chain provides access to proprietary source code, build processes, or other automated update mechanisms, making it easy to infect DevOps pipelines and applications as well as the ability to move laterally across an organization to access customer data,” said Jim Mercer, research vice president, DevOps and DevSecOps, IDC. “This growing threat of software supply chain attacks should compel organizations to examine their application software supply chains and do what they must to harden them to avoid being breached.”
The rise in attacks on the software supply chain is also compelling the U.S. Federal Government to use its purchasing power to raise security standards through actions such as the May 2021 Executive Order 14028 and the March 2023 National Cybersecurity Strategy. These governmental actions have created a flurry of activity around building and tracking software bill of materials or SBOMs.
“The SBOM has been all the rage since the Executive Order, but both quantitative and qualitative data suggest that organizations are struggling with implementing the practices and tools necessary to make the use of SBOMs actionable, helping to secure their software supply chains,” said Katie Norton, senior research analyst, DevOps and DevSecOps practices at IDC. “However, an ecosystem of frameworks, projects, and tools is forming to help organizations establish a strategy surrounding SBOMs that can set them up for success when the next Log4J or government regulation comes around.”
To help organizations to better understand the importance of software supply chain security, and how best to implement it, IDC has recently published several reports:
Operationalizing SBOMs to Secure Your Software Supply Chain (Doc #US50137723)
This research presents the challenges around operationalizing the software bill of materials (SBOM) that organizations face and are impeding broader adoption.
Future of Digital Innovation and DevSecOps: Understanding and Securing the Attack Vectors of the Modern Software Supply Chain (Doc #US50485623)
This research examines the various dimensions of the software supply chain that organizations need to be aware of and provides some guidance on tools and configurations that can help.
IDC Market Glance: Software Supply Chain Security, 2Q23 (Doc #US50831623)
This IDC Market Glance looks at the emerging software supply chain security market landscape and provides a high-level and illustrative graphical overview of the market, laying out the key segments and subsegments and identifying vendors that offer solutions/capabilities in each and can help educate organizations on new and emerging technologies for securing the software supply chain.
About IDC
International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the information technology, telecommunications, and consumer technology markets. With more than 1,300 analysts worldwide, IDC offers global, regional, and local expertise on technology, IT benchmarking and sourcing, and industry opportunities and trends in over 110 countries. IDC’s analysis and insight helps IT professionals, business executives, and the investment community to make fact-based technology decisions and to achieve their key business objectives. Founded in 1964, IDC is a wholly owned subsidiary of International Data Group (IDG), the world’s leading tech media, data, and marketing services company. To learn more about IDC, please visit www.idc.com. Follow IDC on Twitter at @IDC and LinkedIn. Subscribe to the IDC Blog for industry news and insights.