Execs Need Less Talk, More Action on Software Security
As the software industry struggles to recover from a supply chain security crisis, a study from Venafi indicates industry executives are saying the right things but doing very little to back up the rhetoric with decisive action to ensure vendor security.
The survey evaluated the opinions of more than 1,000 IT and development professionals, including 193 executives with responsibility for both security and software development.
Less Talk, More Action on Software Security
The results revealed a glaring disconnect between executive concern and executive action:
The vast majority (94%) of executives said they believe there should be clear consequences for software vendors who fail to protect the integrity of their software build pipelines.
However, most of those same respondents have done little to change the way they evaluate the security of the software they purchase, or the assurances they demand from software providers.
About seven in 10 executives surveyed said their company has not increased the number of questions they are asking software providers about the processes used to assure software security and verify code.
Within their own organizations, respondents were split on who is responsible for improving software security within their own software development organizations: Nearly half (48%) said IT security is responsible and 46% said development teams are responsible.
“With the underfunding of regulatory bodies, reputational damage should be the ultimate consequence for negligent software vendors. But, sadly, this isn’t the case,” said Stuart Winter-Tear, director of strategy at ThreatModeler. “It has been shown buyers of software will still prioritize factors such as price and convenience over security.
He pointed to the survey’s finding that 55% of executives admitted the SolarWinds hack has had little or no impact on their considerations when purchasing their company’s software products.
“The fact that the SolarWinds attack had no impact on those concerns when purchasing software for their organizations is deeply concerning,” he said.
Winter-Tear explained the challenges for improving software supply chain security are the same as they are for all software.
Beyond the underfunding of regulatory bodies, reputational damage is almost non-existent as consumers have become desensitized to the slew of reported cybersecurity problems.
“Even after breaches, consumers will stay with companies based on considerations such as price and convenience rather than security,” he said. “Even share prices bounce back quickly after the initial breach shock plummet. This leaves little incentive for executives to truly grapple with a very hard problem.”
Consequences? What Consequences?
Jon Gaines, senior application security consultant at nVisium, said the repercussions for failing to secure software build pipelines should “absolutely” include larger fines, mandatory third-party audits or even monetary payments.
“In my opinion, threatening more consequences won’t have a huge impact, though,” he said. “Yes, a breach or a hack costs more than fixing a potential problem earlier and I think that this issue needs to be solved in the same way: beforehand.”
From Gaines’ perspective, providing company tax breaks for going above and beyond regulations and the law is the best way to make companies take this seriously—not throwing more fines and penalties at the problem.
“You have this blatant disconnect between executive concern and executive action because of a common mindset of, ‘It will never happen to me’ or even ‘We are too small to be a target’,” he said. “As it sits, you can’t force a software vendor or platform to disclose its own security practices. In addition, you also can often pass off some of the responsibility to the third party if you use their software.”
Because organizations don’t want the onus and responsibility, it is essentially out of sight and out of mind. Gaines noted it’s also extremely costly for an organization to audit a third-party software company.
Lastly, there’s the fact that an organization may not even have the ability to create or audit the software themselves.
“Essentially, if you’re a user at a non-technical company, you can’t refuse the software the company has already adopted,” he pointed out. “And if they do, said software vendor has plenty of other companies willing to do so.”
John Bambenek, principal threat hunter at Netenrich, said ultimately, it is a question of putting in appropriate change controls so that no one can make unauthorized code changes and any private signing key must be zealously protected against misuse.
He explained that one of the biggest challenges to improving software supply chain security is DevOps and the increasingly decentralized nature of software engineering.
“When security isn’t part of software engineering, it’s very expensive to put it in after the fact; it’s often more expensive,” he said. “Security earns no company revenue—it’s always a cost center, so there is a disincentive to spend on it.”
Like Gaines and Winter-Tear, Bambenek agreed that one of the main contributors to the lack of executive action on security improvements stems from the fact that many people think security is someone else’s problem.
“Sure, software vendors have a responsibility to protect their code,” he said. “However, organizations need to ensure they have resilience to detect misuse of their resources regardless of how attackers get the initial foothold. Blame is easy; few want to take responsibility.”
