Venafi announced the results of a global survey that assesses the impact of software supply chain attacks like SolarWinds / SUNBURST, CodeCov and Kaseya / REvil on how development organizations are changing their approach to securing environments creation and delivery of software.
The survey evaluated the opinions of more than 1,000 information security professionals, developers and executives in the IT and software development industries.
Misalignment between security and development teams
According to the survey, respondents are almost unanimous (97%) that the techniques and procedures used to attack the SolarWinds software development environment will be reused in new attacks this year.
Despite this certainty, there is no alignment between security and development teams that the team should be responsible for improving security in software creation and distribution environments. For example, when asked who is primarily responsible for improving the security of their organization’s software development environment, 48% of respondents say their security teams are responsible and 48% say their teams development are responsible.
“While the SUNBURST attack on SolarWinds was not the first of its kind, it was certainly one of the most serious to date,” said Kevin Bocek, vice president of security and intelligence strategy at threats to Venafi.
“SUNBURST has made it clear that every organization needs to take urgent and substantial action to change the way we secure software creation pipelines. The only way to reduce these risks is to dramatically improve the security of the development pipeline and the software it delivers. However, while we can’t even agree on who is responsible for taking these steps, it’s pretty clear that we’re not even close to making any meaningful changes. Anyone who hopes this problem has been solved is deluding themselves. “
Trust and responsibility in the software development environment
- 80% of respondents say they are not completely confident in their organization’s ability to defend against attacks targeting software-building environments.
- 69% of developers surveyed believe that developers are responsible for the security of their organization’s software creation process. However, 67% of security respondents believe it is the responsibility of the security team.
- When asked who should be responsible for the security of their organization’s software creation process, 58% of security respondents said it should be their responsibility and 53% of developers surveyed said it is. should be theirs. Only 8% of all respondents suggested that the responsibility should be shared.
“As the results of this survey clearly show, most organizations haven’t made it clear which team has the incentive or direction they need to make the required changes. The only way to minimize the risk of future attacks is to allow developers to move quickly from idea to production, without compromising security, ”continued Bocek.
“Speed of innovation and security go hand in hand in software development. In the same way that a Formula 1 engineer builds for performance and safety at the same time, software developers must also be responsible for both. To do this, developers clearly need the help and support of security teams. Boards, CEOs and CEOs need to take action to ensure clear ownership lines so that changes are in place and they can hold teams accountable. “