Intelligent CISO Issue 40 | Page 61

V provider of machine identity management , has announced the findings of a global survey that evaluates the impact of the SUNBURST , CodeCov and REvil attacks on how development organisations are changing their approach to securing software build and delivery environments . The survey evaluated the opinions of over 1,000 information security professionals , developers and executives in the IT and software development industries .

Who is responsible for increasing security as software supply chain attacks escalate ?

enafi , the inventor and leading

V provider of machine identity management , has announced the findings of a global survey that evaluates the impact of the SUNBURST , CodeCov and REvil attacks on how development organisations are changing their approach to securing software build and delivery environments . The survey evaluated the opinions of over 1,000 information security professionals , developers and executives in the IT and software development industries .

According to Venafi ’ s survey , respondents nearly unanimously agree ( 97 %) that the techniques and procedures used to attack SolarWinds software development environment will be reused in new attacks this year . Despite this certainty , there is no alignment between security and development teams on which team should be responsible for improving security in the software build and distribution environments . For example , when asked who is primarily responsible for improving the security of their organisation ’ s software development environments , 48 % of respondents say their security teams are responsible and 48 % say their development teams are responsible .
“ While the SUNBURST attack on SolarWinds was not the first of its kind , it was certainly one of the most serious so far ,” said Kevin Bocek , Vice President of Security Strategy and Threat Intelligence at Venafi . “ SUNBURST made it absolutely clear that every organisation must take urgent , substantive actions to change the way we secure software build pipelines . The only way to reduce these risks is to dramatically improve the security of the development pipeline and the software it delivers . However , if we can ’ t even
agree on who is responsible for taking these actions , it ’ s pretty clear that we aren ’ t even close to making meaningful changes . Anyone hoping this problem has been addressed is kidding themselves .”
Additional survey findings include :
• 80 % of respondents say they are not completely confident in their organisation ’ s ability to defend against attacks targeting software build environments .
• 69 % of developer respondents believe developers are responsible for the security of their organisation ’ s software build process . However , 67 % of security respondents believe it is the security team ’ s responsibility .
• When asked who should be responsible for the security of their organisation ’ s software build process , 58 % of security respondents say it should be their responsibility and 53 % of developer
respondents say it should be theirs . Just 8 % of all respondents suggested that responsibility should be shared .
“ As these survey results clearly show , most organisations have not made it clear which team has the incentive directives they need to make the changes required . The only way to minimise the risk of future attacks is to enable developers to move fast , from idea to production , without compromising security ,” said Bocek .
“ Speed of innovation and security are inseparable in software development . In the same way a Formula 1 engineer builds for performance and safety at the same time , software developers also need to be accountable for both . To accomplish this , developers clearly need help and support from security teams . Boards , CEOs and managing directors need to take action to ensure clear lines of ownership so changes are in place and they can hold teams accountable .” u
intelligent SOFTWARE SECURITY
www . intelligentciso . com
61