Software supply chain attacks hit three out of five companies in 2021

Survey finds significant jump in software supply chain attacks after Log4j exposed.

More than three in five companies were targeted by software supply chain attacks in 2021, according to a recent survey by Anchore

The survey of 428 executives, directors, and managers in IT, security, development, and DevOps found that the organisations of nearly a third of the respondents (30 per cent) were either significantly or moderately impacted by a software supply chain attack in 2021. Only six per cent said the attacks had a minor impact on their software supply chain.

The survey bracketed the discovery of the vulnerability found in the Apache Log4 utility. Researchers conducted the survey from December 3 to December 30, 2021. Log4j was revealed December 9. Before that date, 55 per cent of respondents said they had suffered a software supply chain attack. After that date, that number jumped to 65 per cent.

"That means there were brand new people who had not experienced a supply chain attack before Log4j, and that there were people who had experienced an earlier attack but were seeing a stronger impact after Log4j," says Kim Weins, senior vice president at Anchore.

Tech companies hit harder by software supply chain attacks

The survey also found more tech companies were significantly impacted by software supply chain attacks (15 per cent), compared to other industries (three per cent). 

"Tech companies potentially create ROI for the bad actors," Wein says. "If an attacker can get into a software product and that software product is delivered to thousands of other people, they now have a foothold in thousands of other companies."

Supply chain security also appears to be grabbing mindshare in many organisations, with 54 per cent of respondents pegging it as a top or significant area of focus. Interest among mature container users was even higher, with 70 per cent declaring supply chain security a top or significant focus for them.

"The number of dependencies that you have to pay attention to goes up with containers and cloud-native deployments," Weins says. "So, as people get more mature with containers, they recognise that they have to pay attention to all those extra attack surfaces created by those dependencies."

SBOM critical for securing the software supply chain

While protecting the software supply chain appears to be top-of-mind for many respondents, the report noted, few are incorporating software bills of materials (SBOMs) into their security postures. For example, less than a third of respondents are following SBOM best practices and only 18 per cent have a complete SBOM for all their applications.

"We believe that SBOM is a critical foundation for securing the software supply chain because it provides you with the visibility into what software you're actually using," Weins says.

An SBOM can also help speed up the response time of a security team when vulnerabilities are discovered. "Without an SBOM, the timeline for fixing those vulnerabilities can stretch into months or years," noted Sounil Yu, CISO of JupiterOne, an asset management and governance solutions company.

"Without SBOMs, customers invest in black box solutions, resulting in a lack of awareness of all the components used in a product or service," adds Rick Holland, CISO at Digital Shadows, a provider of digital risk protection solutions.

Weins maintains that SBOM is going to be a must-do for 2022. "It's becoming obvious to everybody that software security starts with understanding what you have — a complete list of components — and then using that to check for security before you deliver software. Then you need to continuously monitor the security of software after it has been deployed."