While security and software development teams bicker over whose responsibility it is to improve security in the software build and distribution environments, a new major supply chain attack could well be brewing.
This is according to a new report from machine identity management firm Venafi. Polling more than 1,000 information security professionals, developers, and executives in the IT and software development industries for the report, Venafi found that almost half (48 percent) believe security teams are responsible, with the exact percentage also saying their development teams are responsible.
At the same time, more than two-thirds of developer respondents (69 percent) believe devs are responsible for the security of their organization’s software build processes. Yet similar can be said of security professionals (67 percent).
When asked whose responsibility this should be, 58 percent of security respondents said it was their burden and 53 percent of developers said it should be theirs. Just eight percent suggested the responsibility should be shared.
While they can’t agree on who is responsible, they can agree on one factor: the techniques and procedures used in the infamous SolarWinds attack will be reused in new attacks this year. As they wait to see when they’ll get hit with such an attack, 80 percent of respondents said they weren’t completely confident their organization would be able to defend itself.
“SUNBURST made it absolutely clear that every organization must take urgent, substantive actions to change the way we secure software build pipelines,” said Kevin Bocek, VP Security Strategy & Threat Intelligence at Venafi.
“The only way to reduce these risks is to dramatically improve the security of the development pipeline and the software it delivers. However, if we can’t even agree on who is responsible for taking these actions it’s pretty clear that we aren’t even close to making meaningful changes. Anyone hoping this problem has been addressed is kidding themselves.”