6 Eye-Opening Statistics About Software Supply Chain Security
The latest facts and figures on the state of software supply chain security in the enterprise.
October 27, 2021
![typing code typing code](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt29f7038035681361/64f151683fae843bd351f9e7/supplychainfeaturedimage.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Source: tippapatt via Adobe Stock
News and analysis of the SolarWinds hack that broke at the end of 2020 has set the tone for discourse about the security of the software supply chain. Attackers always look for the least path of resistance, and they’re increasingly finding that going after one big compromise at a software supplier can reap them easier access to that organization’s many customers.
The following statistics offer some measurement of the growth of these supply chain attacks, the cost and impacts from these attacks, and the level of concern voiced by organizations that are feeling the brunt of insecurities in the software supply chain.
Stat Source: ENISA Threat Landscape for Supply Chain Attacks, European Union Agency for Cybersecurity (ENISA), 2021
Based on a study of supply chain attacks conducted by the European Union Agency for Cybersecurity (ENISA), 2021 is shaping up to experience four times as many supply chain attacks than last year. Among the attacks observed over the past couple of years, more than half are attributed to APT groups or well-known attackers, the agency reports
“As the cost of direct attacks against well-protected organizations increases, attackers prefer to attack their supply chain, which provides the additional motivation of a potentially large-scale and cross-border impact,” the report explains.
Stat Source: Global C-Suite Security Survey, Cloudbees 2021
A recent survey of 500 C-suite executives about the state of their organizations’ software supply chain shows some 45% believe they are only halfway there when it comes to securing their software supply chain with measures such as code signing, managing artifacts, and limiting dependencies to trusted registries.
The study, conducted by Regina Corso Consulting on behalf of CloudBees, also shows that 64% of executives wouldn't know who to turn to first if their software supply chain were attacked. These admissions are interesting considering that 93% of respondents said they feel very prepared to deal with cyberattacks on their supply chain — potentially signifying a level of cognitive dissonance about the issue.
Stat Source: Anchore 2021 Software Supply Chain Security Report
More than two-thirds of 425 IT, security, and DevOps leaders at large enterprises have reported been impacted by supply chain attacks in the last year, according to a midyear report from Anchore. The attacks have gained attention in their organizations, as the majority of them (80%) now report that software supply chain security is at least somewhat of a focus. Some 60% say it is a significant or top area of focus for them
Three of the most commonly cited challenges for organizations in securing their software supply chain are securing open source software containers, securing code their organization writes, and understanding the full software bill of materials that goes into running software — including things like open source libraries and source code.
Stat Source: 2021 State of the Software Supply Chain Report, Sonatype
Organizations don’t just have to worry about legacy software supply chain exploits that go after publicly disclosed open source vulnerabilities that are left unpatched. Now the bad guys are getting proactive by inserting their own vulnerabilities and backdoors to software — as dramatically evidenced by the SolarWinds debacle. According to a report by Sonatype, these kinds of next-gen software supply chain attacks are on a steep rate of growth, up 650% in the past year.
Some of the most common types of next-gen supply chain attacks are dependency or namespace confusion attacks, typosquatting attacks, and injection of malicious source code.
Stat Source: Ripples Across the Risk Surface 2021, RiskRecon/Cyentia Institute
A recent study conducted by the Cyentia Institute on behalf of RiskRecon looked at 897 multiparty ripple breach incidents since 2008. These are security events that impacted three or more firms emanating from a single incident, including supply chain incidents. The study shows that a median ripple breach event causes 10x the financial damage of a median traditional single-party breach and that the worst ripple events are 26x more costly than the worst traditional breaches.
Cyentia shows it can take a long time — 379 days — for the typical ripple breach’s effects to impact 75% of the downstream victims.
Stat Source: 2021 Executive Survey, Venafi
Even after the fallout and analysis of the downstream impacts of the SolarWinds supply chain breach, most organizations are still not necessarily taking action based on those learnings. A study by Venafi of over 1,000 IT and development professionals shows that since SolarWinds, 69% of them have not increased the number of questions they ask their software providers about the processes used to assure the security of their software and to verify code.
Additionally, 55% of respondents said that the SolarWinds hack had little or no impact on the concerns they consider when purchasing software. That means, while concern is high about supply chain attacks, nobody is actually holding the suppliers’ feet to the fire just yet.
Stat Source: 2021 Executive Survey, Venafi
Even after the fallout and analysis of the downstream impacts of the SolarWinds supply chain breach, most organizations are still not necessarily taking action based on those learnings. A study by Venafi of over 1,000 IT and development professionals shows that since SolarWinds, 69% of them have not increased the number of questions they ask their software providers about the processes used to assure the security of their software and to verify code.
Additionally, 55% of respondents said that the SolarWinds hack had little or no impact on the concerns they consider when purchasing software. That means, while concern is high about supply chain attacks, nobody is actually holding the suppliers’ feet to the fire just yet.
News and analysis of the SolarWinds hack that broke at the end of 2020 has set the tone for discourse about the security of the software supply chain. Attackers always look for the least path of resistance, and they’re increasingly finding that going after one big compromise at a software supplier can reap them easier access to that organization’s many customers.
The following statistics offer some measurement of the growth of these supply chain attacks, the cost and impacts from these attacks, and the level of concern voiced by organizations that are feeling the brunt of insecurities in the software supply chain.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024