Security News

There have been more than 200 dedicated supply chain attacks over the past decade. If the supply chain is anything that potentially gives you an opportunity to hop to another target, just about everything - including you - is part of the supply chain.

Security threats have only heightened these concerns, and an ISACA survey report illuminates IT professionals' key concerns around supply chain security challenges and how their organizations are responding to them. The report received responses from more than 1,300 IT professionals with supply chain insight, 25 percent of whom note that their organization experienced a supply chain attack in the last 12 months.

Major supply-chain attacks of recent years - we're talking about SolarWinds, Kaseya and Log4j to name a few - are "Just the tip of the iceberg at this point," according to Aanchal Gupta, who leads Microsoft's Security Response Center. As the head of MSRC, Gupta has a unique vantage point.

The shift to cloud native development, along with the increased speed in development brought about by the adoption of DevOps processes, has made the challenges connected with securing software supply chains infinitely more complex. Adversaries, motivated by the success of high-profile software supply chain attacks on companies like SolarWinds and Kaseya, are stepping up attacks against software build and distribution environments.

Adversaries, motivated by the success of high-profile software supply chain attacks on companies like SolarWinds and Kaseya, are stepping up attacks against software build and distribution environments. "Digital transformation has made every business a software developer. And as a result, software development environments have become huge target for attackers," said Kevin Bocek, VP of threat intelligence and business development for Venafi.

Tech pros have low confidence in supply chain security. Security threats have heightened the supply chain challenges enterprises have faced over the past two years, and a new ISACA survey report finds only 44% of IT professionals surveyed have high confidence in the security of their organization's supply chain.

Majority of CIOs say their software supply chains are vulnerable, execs demand action. A new survey of 1,000 CIOs conducted by Venafi shows that over 80% said their organizations are vulnerable to cyberattacks targeting software supply chains.

Ask 1,000 CIOs whether they believe their organizations are vulnerable to cyberattacks targeting their software supply chains and about 82 percent can be expected to say yes. "The results show that while CIOs understand the risk of these types of attacks, they have yet to grasp the fundamental organizational changes and new security controls they will need to incorporate into their security posture to reduce the risk of supply chain attacks that can be devastating to themselves and their customers," says Venafi's report, which was released on Tuesday.

Software supply chain attacks have been increasing over the past few years, spurring the Biden administration to release an executive order detailing what government agencies are supposed to do to protect themselves against them. These attacks consist of several different types of threats, but the result is always the same: attackers gaining access to run code on your infrastructure or to tamper with the code that you're using in production.

A case of software supply chain attack has been observed in the Rust programming language's crate registry that leveraged typosquatting techniques to publish a rogue library containing malware. Cybersecurity firm SentinelOne dubbed the attack "CrateDepression."