Existing security controls no match for modern threats, report finds

Today’s threat actors are recognising that the code being developed in CI/CD pipelines is poorly or improperly secured with attackers shifting from targeting final software executables and instead infiltrating software build pipelines with malware.

This was among the key findings in Venafi and Coleman Parkes’ recent study of 1,000 CIOs from the US, UK, France, DACH, Benelux and Australasia regions.

The results suggest that while most CIOs know the risk of these types of attacks – with 82% displaying their organisation is prone to attacks targeting their software build and distribution environments – they have yet to grasp the organisational changes and new security controls they will need to incorporate into their security posture if they are to reduce the risk.

Some CIOs have already taken preliminary steps to tackle the problem: 68% have implemented more security controls; 56% are making more use of code signing, and 47% are looking at the provenance of their open source libraries.

However, the study shows 85% of CIOs have specifically been instructed by the board or CEO to take action to improve the security of software development and build environments, with threats not only leaving organisations vulnerable but exposing their customers as well.

It seems CIOs and organisations are hesitant to address critical security controls needed to effectively support software build pipelines, which require a different security structure.

According to the data, 61% of organisations still use InfoSec teams to own and manage security for software development and build environments, even though they often don’t have the visibility into what software engineering teams are doing.

More notably, 95% of InfoSec teams have authority over what security controls should be used to protect software supply chains. At the same time nearly a third (31%) of InfoSec teams cannot enforce the policies they recommend – since InfoSec is expected to take responsibility for securing critical environments that they don’t quite grasp, this is a concern.

Meanwhile, the report suggests developers are seen as less than committed to maintaining software supply chain security, with 87% CIOs agreeing that software engineers/developers sometimes compromise on security policies and controls to meet the organisation’s drive to develop new products and services quickly.

This disconnect shouldn’t be mistaken for a lack of concern, but when forced to decide between slowing down the pipeline and maintaining peak functionality with development, software engineering teams generally choose functionality to meet the business goals they’ve been set.

However, most organisations understand the need to address the threat of these attacks. According to the data, 84% of organisations have increased their budget dedicated to the security of software development and build pipelines.

In addition, organisations are increasing their 2022 security budgets for solutions directly related to software supply chain security: 86% have increased budgets dedicated to IAM (Identity and Access Management) for software engineering environments, and 71% have increased code signing budgets.

Yet 62% of organisations budget is held by Infosec teams and the problem with that scenario is that InfoSec often lacks a depth of knowledge about the intricacies of software build pipelines.

Additionally, InfoSec needs to maintain the same levels of visibility for cloud native development that they have had in traditional data center environments. This is complicated by the diversity of cloud instances and the applications that run on them.

The study concludes that organisations need to look for a solution that can automate most, if not all, code signing processes, so that developers can stay secure as they build code fast.