Key Findings on Supply Chain Attacks
- 65% of organizations encountered supply chain attacks in the last year.
- GenAI adoption heightens risks; merely 24% assess AI-generated code for security and intellectual property concerns.
- Enhanced compliance and continuous automation expedite remediation and bolster defense effectiveness.
The software supply chain—encompassing a complex web of components, tools, and processes utilized in software development, construction, and distribution—has unexpectedly emerged as a prime target for cybercriminals.
This trend allows malefactors to circumvent traditional defenses, yielding disproportionate gains from isolated breaches.
This insight is drawn from the comprehensive report titled “Navigating Software Supply Chain Risk in a Rapid-Release World,” produced by the application security firm Blackduck.
Drawing on a survey of 540 software security authorities, the report reveals that a significant two-thirds (65%) of organizations have suffered at least one supply chain assault within the preceding twelve months.
Importance of Compliance
These attacks are increasingly nuanced, with reports indicating malicious dependencies (30%), unaddressed vulnerabilities (28%), zero-day exploits (27%), and malware infiltrations into build pipelines (14%).
The accelerating adoption of Generative Artificial Intelligence (GenAI) in enterprises exacerbates these challenges. Blackduck notes that a staggering 95% of organizations now employ AI tools, predominantly ChatGPT, for software development, yet security protocols lag woefully behind. While there is considerable confidence in these tools, the actual validation rates are disconcertingly low.
Alarmingly, only 24% of organizations subject AI-generated code to scrutiny for issues pertaining to intellectual property, licensing, security, or quality.
According to the report, this oversight leaves ample opportunity for vulnerabilities to infiltrate the supply chain, potentially resulting in the unintentional introduction of copyrighted intellectual property or the exposure of sensitive API keys.
In fortifying defenses, adherence to compliance emerges as paramount. Blackduck asserts that, counter to common perceptions, a compliance-centric methodology not only enhances security but also accelerates response times.
There appears to be a distinct connection between stringent compliance measures and the velocity of remediation efforts.
Organizations implementing at least four distinct compliance controls respond to critical vulnerabilities with greater swiftness, with 54% accomplishing this in contrast to 45% among the general survey respondents.
Moreover, the necessity for automation cannot be overstated. Reliance on intermittent manual monitoring, a practice currently adopted by approximately 36% of respondents, is broadly deemed inadequate. Organizations employing automatic continuous monitoring are classified as “significantly more effective.”
Source link: Techradar.com.
