Could code signing be the answer to limiting software supply chain attacks?

cyberattack concept
Image: Shutterstock/PabloLagart

While supply chains are not as tangled as they were during the heart of the COVID-19 pandemic, there are still some large security issues at hand. A new survey of 1,000 CIOs conducted by Venafi shows that over 80% said their organizations are vulnerable to cyberattacks targeting software supply chains. These cybersecurity gaps remain a major concern for many businesses, as the rate of supply chain attacks spiked 51% last year alone.

“Digital transformation has made every business a software developer. And as a result, software development environments have become huge targets for attackers,” said Kevin Bocek, vice president of threat intelligence and business development for Venafi. “Hackers have discovered that successful supply chain attacks are extremely efficient and more profitable.”

In addition, 85% of CIOs have specifically been instructed by the board or CEO to take action to improve the security of software development and build environments. But the question remains, how can this be done?

Are organizations doing enough to thwart cyberattacks?

This jump in software supply chain cyberattacks over the previous year has put into focus that companies need to take action immediately or become another in the long list of victims. To combat these potential gaps in security, 84% of those surveyed said that their organization has dedicated a larger chunk of the budget to protecting their supply chains over the last year.

Specifically, CIOs said their approaches have changed via implementation of more security controls (68%), additional use of code signing (56%) and looking at the provenance of their open source libraries (47%). However, some CIOs and businesses are less inclined to change their security practices, as the controls for doing so would require a fundamental change in structure to better secure software build pipelines.

“CIOs realize they need to improve software supply chain security but it’s extremely difficult to determine exactly where the risks are, which improvements provide the greatest increase in security, and how these changes reduce risk over time,” said Bocek. “We can’t solve this problem using existing methodologies. Instead, we need to think differently about the identity and integrity of the code we are building and using—and we need to protect and secure it at every step of the development process at machine speed.”

SEE: Mobile device security policy (TechRepublic Premium)

Code signing may be the answer to stopping supply chain attacks

To this end, 62% of CIOs say their InfoSec teams are in charge of handling budgets dedicated to the security of software development and build environments, but this is not enough, says Venafi. According to the company’s findings, InfoSec teams do not have the depth of knowledge necessary to handle the intricacies of software build pipelines. While malicious parties have begun to infiltrate poorly protected CI/CD pipelines, it is time for organizations to employ code signing to secure these supply chains.

By employing code signing for the vulnerable systems at hand, enterprises can catch unsigned malware before it can wreak havoc on their supply chain, and by extension, their customer base. Of those who responded, 71% of CIOs claim their budget with relation to code signing is increasing, and 56% said their business has made efforts to use more code signing to offset the risk of additional cyberattacks.

According to Verafi, companies should employ more code signing processes, even if the growing pains may have to be felt in the short term, while restructuring an organization’s cybersecurity posture.