Almost all (97%) IT managers believe that software vendors need to improve the security of their software creation and code signing processes, according to a study by Venafi.
A survey of more than 1,000 IT professionals, including 193 executives responsible for both security and software development, also found that 96% of executives believe that software vendors should be required to guarantee code integrity in their software updates.
Meanwhile, 94% of executives believe there should be clear consequences for software companies who fail to protect the integrity of their software creation pipelines.
The report identifies that executives are much more concerned about software supply chain attacks in light of the recent SolarWinds attack. But within their own software development organizations, executives are divided over responsibility for security improvements, with 48% naming IT security and 46% naming development teams.
Meanwhile, 66% of executives say their business has not increased the number of questions they ask software vendors about the processes used to keep their software secure and verify code in the wake of attacks, and 55% of executives say the hack has little or no impact on the concerns they consider when purchasing software products for their business.
Venafi’s head of content strategy Scott Carter said the findings suggest a general lack of understanding among executives on how to assess software security.
“Most leaders may simply not have access to the criteria their teams need to assess the security of the software they will buy or use within their organization,” he said.
“In response to this void, Venafi has partnered with Veracode with support from Sophos and Cloudbees to define a vendor-independent standard control map. These various controls significantly reduce risk and align with agile, high-performance software development pipelines.
These controls range from using application security testing to identify serious security issues during the build process, to restricting administrative access to authoring tools, to requiring validation signatures with a key. developer.
Organizations should also ensure that access to automation is read-only and that automation keys automatically expire, ensure that only dependencies from trusted registries can be used and require two code reviewers, and a generation of passage before the merger demands extraction, according to Carter.