Skip to main content

Businesses are failing to protect software supply chains

supply chain
(Image credit: Image source: Shutterstock/KAMONRAT)

IT professionals believe supply chain attacks are going to blow up this year and that software vendors should tighten up on security in anticipation. However, when it comes to holding their own software partners to account, businesses are less moativated.

This is according to a new report from the identity management company Venafi, based on a poll of more than 1,000 IT and software development professionals, which states that the overwhelming majority (94 percent) believe there should be “clear consequences” for software vendors that fail to protect the integrity of their software build pipelines.

The report also uncovered that 96 percent of executives think software providers should be required to guarantee the integrity of the code they provide through updates.

At the same time, businesses have done very little to change how they evaluate the security of the software they purchase; more than half (55 percent) said the SolarWinds attack did not change they way they approach software procurement.

In-house, executives are split on the responsibility of software security. While 48 percent say it’s IT’s responsibility, 46 percent believe it’s the development team’s job.

“To address this systemic problem, the entire technology industry needs to change the way we build and buy software,” said Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi. 

“Executives can’t treat this as just another technical problem—it’s an existential threat. C-level executives and boards need to demand that security and development teams for software vendors provide clear assurance about the security of their software.”

Sead Fadilpašić

Sead is a freelance journalist with more than 15 years of experience in writing various types of content, from blogs, whitepapers, and reviews to ebooks, and many more, across sites including Al Jazeera Balkans, TechRadar Pro, IT Pro Portal, and CryptoNews.