A lack of cohesion between software development teams and cybersecurity functions compounds the software supply chain risks faced by organizations, making it all the more urgent for cybersecurity leaders and their teams to better engage with and educate developers. Standard cybersecurity awareness training won’t be effective with developers, experts say. The training must be tailored to address the specific cyber risks surrounding the software development lifecycle.
The risks of insecure software were laid bare in early 2021 by the Sunburst supply chain attack in which threat actors infiltrated a commercial software application made by SolarWinds to target a wide range of organizations, individuals, and government agencies. The attack was not only complex and difficult to detect, but also wide reaching, impacting tens of thousands of victims. Furthermore, it served as a prompt to cybercriminals of the vulnerabilities surrounding software supply chains and the potential benefits of specifically targeting development lifecycles, including developers themselves.
Organizations fail to address software development cyber threats
Several months on from the SolarWinds attack, a new report from Osterman Research suggests that organizations have yet to address the underlying people-related security issues that can lead to such software supply chain compromises. Imperfect People, Vulnerable Applications outlines the human elements contributing to cyber risk in the software development lifecycle (SDLC) based on responses from 260 people in application development and security roles across the US and UK. It reveals that 45% of development teams feel their understanding of the latest application attacks is lacking, with the vast majority (81%) admitting to knowingly pushing vulnerable code live. What’s more, just 27% of front-line development professionals consider application security their responsibility, despite 80% of their senior managers believing it is.
The findings are no more positive from the perspective of cybersecurity professionals. Only half of CISOs (50%) have confidence that secure applications can be developed, while 45% of security workers believe developers do not understand the latest threats to application security. In fact, 56% of security teams believe their company would not be able to withstand a SolarWinds-style attack on their software build environment.