Software supply chain attacks hit three out of five companies in 2021

More than three in five companies were targeted by software supply chain attacks in 2021, according to a recent survey by Anchore. The survey of 428 executives, directors, and managers in IT, security, development, and DevOps found that the organizations of nearly a third of the respondents (30%) were either significantly or moderately impacted by a software supply chain attack in 2021. Only 6% said the attacks had a minor impact on their software supply chain.

The survey bracketed the discovery of the vulnerability found in the Apache Log4 utility. Researchers conducted the survey from December 3 to December 30, 2021. Log4j was revealed December 9. Before that date, 55% of respondents said they had suffered a software supply chain attack. After that date, that number jumped to 65%.

“That means there were brand new people who had not experienced a supply chain attack before Log4j, and that there were people who had experienced an earlier attack but were seeing a stronger impact after Log4j,” says Kim Weins, senior vice president at Anchore.

Tech companies hit harder by software supply chain attacks

The survey also found more tech companies were significantly impacted by software supply chain attacks (15%), compared to other industries (3%). “Tech companies potentially create ROI for the bad actors,” Wein says. “If an attacker can get into a software product and that software product is delivered to thousands of other people, they now have a foothold in thousands of other companies.”

Supply chain security also appears to be grabbing mindshare in many organizations, with 54% of respondents pegging it as a top or significant area of focus. Interest among mature container users was even higher, with 70% declaring supply chain security a top or significant focus for them.

“The number of dependencies that you have to pay attention to goes up with containers and cloud-native deployments,” Weins says. “So, as people get more mature with containers, they recognize that they have to pay attention to all those extra attack surfaces created by those dependencies.”

SBOM critical for securing the software supply chain

While protecting the software supply chain appears to be top-of-mind for many respondents, the report noted, few are incorporating software bills of materials (SBOMs) into their security postures. For example, less than a third of respondents are following SBOM best practices and only 18% have a complete SBOM for all their applications.

“We believe that SBOM is a critical foundation for securing the software supply chain because it provides you with the visibility into what software you’re actually using,” Weins says.

An SBOM can also help speed up the response time of a security team when vulnerabilities are discovered. “Without an SBOM, the timeline for fixing those vulnerabilities can stretch into months or years,” notes Sounil Yu, CISO of JupiterOne, an asset management and governance solutions company.

“Without SBOMs, customers invest in black box solutions, resulting in a lack of awareness of all the components used in a product or service,” adds Rick Holland, CISO at Digital Shadows, a provider of digital risk protection solutions.

Weins maintains that SBOM is going to be a must-do for 2022. “It’s becoming obvious to everybody that software security starts with understanding what you have—a complete list of components—and then using that to check for security before you deliver software. Then you need to continuously monitor the security of software after it has been deployed.”