Software supply chain security fixes gain prominence at RSA

Given the significant cybersecurity problems that the SolarWinds, Log4j and other software supply chain infections created over the past two years, it’s no surprise that software security emerged as a hot topic at this year’s RSA conference. Ahead of the event, ReversingLabs released a survey it commissioned of over 300 senior software employees on the struggles their firms face in detecting supply chain attacks

Despite the recent spate of high-profile software supply chain security incidents, the ReversingLabs study found that fewer than four in ten companies say they can detect tampering with developed code. In addition, less than 10% of companies are reviewing software at each product lifecycle stage for evidence of tampering or compromises.

SBOM usage is sparse but expected to grow rapidly

When it comes to one crucial emerging tool that can better ensure software security, a software bill of materials (SBOM), ReversingLabs survey found that only 27% of the IT professionals surveyed said their employer generates and reviews SBOMs before releasing software. Of those respondents who do not develop SBOMs, 44% cited a lack of expertise and staffing needed to do so, while 32% cited a lack of budget for implementing SBOM. Only 7% of respondents at companies that don’t produce SBOMs said the reason was that an SBOM wasn’t needed.

The sparse usage of SBOMs is quickly becoming a thing of the past for two primary reasons, Allan Friedman, senior advisor and strategist at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), told RSA attendees. First, because of events like SolarWinds, organizations are starting to demand SBOMs for the software they use as a security measure to identify problematic code.

Second, under President Biden’s cybersecurity executive order issued last year, any company that sells software to the federal government will be mandated to provide a complete SBOM. “If you want to have a secure development process, it’s very hard to say that you have one if you are not tracking your [software] dependencies,” Friedman said. “If you are in the business of buying software or selecting open-source components, you need to understand supply chain risks. You need to understand vulnerability risks. And, of course, to do that, you need to know what’s under the hood. For those of us who operate software, we need to understand what’s in there so that when a new risk emerges, we can react quickly and efficiently.”

Kate Stewart, vice president, Dependable Embedded Systems at the Linux Foundation, said that despite the low adoption rate of SBOMs now, roughly 78% of the companies the Foundation surveyed said they’re going to be using SBOMs this year. “People are tooling up. They are getting ready internally and externally,” she said.

Copyright © 2022 IDG Communications, Inc.

News Credit

%d bloggers like this: