The latest report from CloudBees is bad news for the cloud industry, with many companies still not fully securing their supply chain.
Supply chain attacks have become increasingly common, with hackers viewing them as a high-reward attack vector. Rather than trying to compromise individual targets, a single, successful attack against a vendor whose software or APIs are used by thousands of companies can yield far greater results.
Unfortunately, many companies have yet to fully secure their supply chain, according to CloudBees. Of the C-suite executives surveyed, 93% believed they were well-prepared for an attack. A deeper dive, however, showed a different story.
A whopping 45% of execs say they are only halfway through the process of securing their supply chain, with only 23% nearly done. Even worse, a disturbing 64% say they don’t know who they would turn to first in the wake of an attack.
“We discovered that as software becomes the primary source of customer experience and value, supply chain security is getting the attention it deserves and at the proper levels in the organization,” writes Prakash Sethuraman, Chief Information Security Officer, CloudBees. “However, this study reveals gaps that indicate supply chain security is not well understood, nor are systems as robust or comprehensive as they should be.
“Bottom line, the results reinforce the concept that software supply chain security needs to go beyond “shift left” to “shift security everywhere” — with automation. The software you are developing must be as secure as possible, but it doesn’t stop there. The delivery process itself must be protected, and you have to be able to detect and instantly mitigate problems in production to consider your software supply chain as secure.”