Report: 64% of companies affected by attacks on supply chains mainly due to increased dependence on OSS


The reliance of the open source software industry along with the sharp increase in reliance on open source software (OSS) has helped make supply chains a major security goal. According to the latest figures, 64% of organizations suffered from a software supply chain attack last year report.

The 2022 Software Supply Chain Status Report was produced by IoT Software and Solutions Provider Rivener with data from more than 100 Revenera audit services projects.

Although awareness of open source usage is the first step toward creating and maintaining a successful open source management strategy, nearly 70% of organizations do not have a company-wide policy for the proper use of open source.

The audit group Revenera identified 12% more problems in 2021 compared to the previous year, while the audit project identified 2,200 problems compared to 1959 in 2020. 61% of the scanned code base files were classified as open source, which is 6 percentage points more than in 2020.

In addition, compared to 2020, Revenera found an increase in binary files of 7%, which is more complex than source code because they often combine IPs from multiple sources and consist of multiple files.

Overall, attacks on software supply chains have increased by more than 300% in 2021 compared to 2020, according to a study Argon security, recently acquired by Aqua Security. The Revenera audit team identified 282 security vulnerabilities to the audit project, which is 217% more than in 2020. 27 percent of these vulnerabilities have a “high” CVSS severity rating. Despite this, the level of security throughout the software development lifecycle remains low.

However, some companies are trying to mitigate security risks with new rules and a programmatic material list (SBOM).

Industry and markets continue to respond to software supply chains and security risks by tightening rules to identify and track open source issues through organizations and regulations such as NIST, PCI, OpenChain, OWASP, MITER, NHTSA and GDPR.

An executive order in May began setting SBOM priorities, stating that any software vendor that sells software to the federal government must provide SBOM.

“As industries and governing bodies increase management requirements, and more and more companies require SBOM from software vendors as part of a contract process to prove software supply chain security, a complete and accurate list of what is in the code is likely to become the norm, not the exception, ”the statement reads.

Revenera suggested that these are six steps to better supply chain security software:

  1. “Understand the construction of the software pipeline and how software sources, components, and packages are accessed.
  2. Create an accurate SBOM that includes all subcomponents, hidden dependencies, and related licenses.
  3. Modify vulnerability management and license retention to minimize and mitigate open source risks at the beginning of the devops lifecycle.
  4. Collaborate with key stakeholders throughout the organization
  5. Empower software developers by providing ongoing training on security vulnerabilities and license compliance management.
  6. Implement an SCA solution that identifies the issue of security and license compliance in the code. ”

Report: 64% of companies affected by attacks on supply chains mainly due to increased dependence on OSS

Source link Report: 64% of companies affected by attacks on supply chains mainly due to increased dependence on OSS