Survey finds significant jump in software supply chain attacks after Log4j exposed. Credit: Thinkstock More than three in five companies were targeted by software supply chain attacks in 2021, according to a recent survey by Anchore. The survey of 428 executives, directors, and managers in IT, security, development, and DevOps found that the organizations of nearly a third of the respondents (30%) were either significantly or moderately impacted by a software supply chain attack in 2021. Only 6% said the attacks had a minor impact on their software supply chain.The survey bracketed the discovery of the vulnerability found in the Apache Log4 utility. Researchers conducted the survey from December 3 to December 30, 2021. Log4j was revealed December 9. Before that date, 55% of respondents said they had suffered a software supply chain attack. After that date, that number jumped to 65%.“That means there were brand new people who had not experienced a supply chain attack before Log4j, and that there were people who had experienced an earlier attack but were seeing a stronger impact after Log4j,” says Kim Weins, senior vice president at Anchore. Tech companies hit harder by software supply chain attacksThe survey also found more tech companies were significantly impacted by software supply chain attacks (15%), compared to other industries (3%). “Tech companies potentially create ROI for the bad actors,” Wein says. “If an attacker can get into a software product and that software product is delivered to thousands of other people, they now have a foothold in thousands of other companies.” Supply chain security also appears to be grabbing mindshare in many organizations, with 54% of respondents pegging it as a top or significant area of focus. Interest among mature container users was even higher, with 70% declaring supply chain security a top or significant focus for them.“The number of dependencies that you have to pay attention to goes up with containers and cloud-native deployments,” Weins says. “So, as people get more mature with containers, they recognize that they have to pay attention to all those extra attack surfaces created by those dependencies.” SBOM critical for securing the software supply chainWhile protecting the software supply chain appears to be top-of-mind for many respondents, the report noted, few are incorporating software bills of materials (SBOMs) into their security postures. For example, less than a third of respondents are following SBOM best practices and only 18% have a complete SBOM for all their applications.“We believe that SBOM is a critical foundation for securing the software supply chain because it provides you with the visibility into what software you’re actually using,” Weins says.An SBOM can also help speed up the response time of a security team when vulnerabilities are discovered. “Without an SBOM, the timeline for fixing those vulnerabilities can stretch into months or years,” notes Sounil Yu, CISO of JupiterOne, an asset management and governance solutions company. “Without SBOMs, customers invest in black box solutions, resulting in a lack of awareness of all the components used in a product or service,” adds Rick Holland, CISO at Digital Shadows, a provider of digital risk protection solutions.Weins maintains that SBOM is going to be a must-do for 2022. “It’s becoming obvious to everybody that software security starts with understanding what you have—a complete list of components—and then using that to check for security before you deliver software. Then you need to continuously monitor the security of software after it has been deployed.” Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe