Businesses are failing in supply chain protection

Get a free Techzine subscription!

IT professionals believe that the coming year will see supply chain attacks surge, which should be the warning system vendors need to tighten up their security. When it comes to holding their software partners accountable, businesses seem reluctant.

The verdict comes from a new report by Venafi, the identity management company, based on a poll of more than 1,000 IT and software development professionals. The report says that an overwhelming majority (94%) believe there should be clear consequences for software vendors who fail to safeguard the integrity of their software build pipelines.

No one is learning

Businesses have not done much to change how they evaluate the security of software purchases. 55% said the SolarWinds attack did not change their approach to software procurement. In-house execs can’t agree on the responsibility of software security. 48% say that it is IT’s responsibility, while 46% believe that the development team should be the ones to task with this.

Kevin Bocek, the VP of Security Strategy and Threat Intelligence at Venafi said that to address the systemic problem, the entire technology industry needs to change the way it builds and buys software, adding that execs cannot just treat it as a technical problem when it is an existential threat.

A report in the works

Meanwhile, the departments of Commerce and Homeland Security are looking to add elements of cybersecurity design into a report on the supply of information and communications technology needed by executive order.

Stakeholders are invited to submit comments over the next 45 days (beginning Sep. 20) according to a notice by the Commerce’s Bureau of Industry and Security.

Executive Order 14017 was issued on February 24, instructing the secretaries of the aforementioned agencies to publish within a year, a report determining critical sectors and subsectors of information and communications technology and the state of the related supply chains.