It’s no secret that software supply chain attacks have recently increased at a worrying pace, and the SolarWinds SUNBURST attack is the latest occurrence in this rising trend. A Mongolian Certificate Authority experienced a supply chain attack, and a recent report revealed that North Korean cyber crime profits are up to $1 billion dollars annually. With the ever-changing security industry and the expanding threat landscape, it is more important than ever for organizations of all industries to invest in high quality cyber security teams and strategies.
This begs the question: within an organization, what team is actually responsible for securing software build and delivery environments? The consequences of not being on the same page could be dire, so Venafi conducted a global survey evaluating the impact of the SUNBURST, CodeCov and REvil attacks on how development organizations are changing their approach to cyber security. After examining the responses of over 1,000 information security professionals, developers, and executives in IT and software development, the results were very enlightening!
According to the survey, respondents nearly unanimously agree (97%) that the techniques and procedures used to attack SolarWinds software development environment will be reused in new attacks this year. Despite this certainty, there is no alignment between security and development teams on which team should be responsible for improving security in the software build and distribution environments. For example, when asked who is primarily responsible for improving the security of their organization’s software development environments, 48 percent of respondents say their security teams are responsible and 48 percent say their development teams are responsible.
“While the SUNBURST attack on SolarWinds was not the first of its kind, it was certainly one of the most serious so far,” said Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi. “SUNBURST made it absolutely clear that every organization must take urgent, substantive actions to change the way we secure software build pipelines. The only way to reduce these risks is to dramatically improve the security of the development pipeline and the software it delivers. However, if we can’t even agree on who us responsible for taking these actions it’s pretty clear that we aren’t even close to making meaningful changes. Anyone hoping this problem has been addressed is kidding themselves.”
If those results don’t concern you, they should! Most organizations are dangerously unclear as to which teams have the incentive and directives they need to do their vital work. Bocek continues, “The only way to minimize the risk of future attacks is to enable developers to move fast, from idea to production, without compromising security. Speed of innovation and security are inseparable in software development. In the same way a Formula 1 engineer builds for performance and safety at the same time, software developers also need to be accountable for both. To accomplish this, developers clearly need help and support from security teams. Boards, CEOs, and managing directors need to take action to ensure clear lines of ownership so changes are in place and they can hold teams accountable.”
Ultimately, the only wrong answer to this question is not having an answer at all! There’s nothing wrong with different organizations preferring different approaches to securing software build pipelines. The only thing that really matters is whether every single member of your team is crystal clear on what processes they own, and that every aspect of your security strategy is owned by someone. Leaving information that critical up to interperpretation will unquestionably leave you vulnerable to attack.