Survey finds significant jump in software supply chain attacks after Log4j exposed. Credit: Thinkstock More than three in five companies were targeted by software supply chain attacks in 2021, according to a recent survey by Anchore. The survey of 428 executives, directors, and managers in IT, security, development, and DevOps found that the organizations of nearly a third of the respondents (30%) were either significantly or moderately impacted by a software supply chain attack in 2021. Only 6% said the attacks had a minor impact on their software supply chain.The survey bracketed the discovery of the vulnerability found in the Apache Log4 utility. Researchers conducted the survey from December 3 to December 30, 2021. Log4j was revealed December 9. Before that date, 55% of respondents said they had suffered a software supply chain attack. After that date, that number jumped to 65%.“That means there were brand new people who had not experienced a supply chain attack before Log4j, and that there were people who had experienced an earlier attack but were seeing a stronger impact after Log4j,” says Kim Weins, senior vice president at Anchore.Tech companies hit harder by software supply chain attacksThe survey also found more tech companies were significantly impacted by software supply chain attacks (15%), compared to other industries (3%). “Tech companies potentially create ROI for the bad actors,” Wein says. “If an attacker can get into a software product and that software product is delivered to thousands of other people, they now have a foothold in thousands of other companies.” Supply chain security also appears to be grabbing mindshare in many organizations, with 54% of respondents pegging it as a top or significant area of focus. Interest among mature container users was even higher, with 70% declaring supply chain security a top or significant focus for them.“The number of dependencies that you have to pay attention to goes up with containers and cloud-native deployments,” Weins says. “So, as people get more mature with containers, they recognize that they have to pay attention to all those extra attack surfaces created by those dependencies.” SBOM critical for securing the software supply chainWhile protecting the software supply chain appears to be top-of-mind for many respondents, the report noted, few are incorporating software bills of materials (SBOMs) into their security postures. For example, less than a third of respondents are following SBOM best practices and only 18% have a complete SBOM for all their applications.“We believe that SBOM is a critical foundation for securing the software supply chain because it provides you with the visibility into what software you’re actually using,” Weins says.An SBOM can also help speed up the response time of a security team when vulnerabilities are discovered. “Without an SBOM, the timeline for fixing those vulnerabilities can stretch into months or years,” notes Sounil Yu, CISO of JupiterOne, an asset management and governance solutions company.“Without SBOMs, customers invest in black box solutions, resulting in a lack of awareness of all the components used in a product or service,” adds Rick Holland, CISO at Digital Shadows, a provider of digital risk protection solutions.Weins maintains that SBOM is going to be a must-do for 2022. “It’s becoming obvious to everybody that software security starts with understanding what you have—a complete list of components—and then using that to check for security before you deliver software. Then you need to continuously monitor the security of software after it has been deployed.” Related content news analysis LogoFAIL attack can inject malware in the firmware of many computers Researchers have shown how attackers can deliver malicious code into the UEFI of many PCs though BIOS splash screen graphics. By Lucian Constantin Dec 08, 2023 8 mins Malware Malware Cybercrime news Google expands minimum security guidelines for third-party vendors Google's updated Minimum Viable Secure Product (MVSP) program offers advice for working with researchers and warns against vendors charging extra for basic security features. By John P. Mello Jr. Dec 08, 2023 4 mins Application Security Supply Chain Supply Chain news New CISO appointments 2023 Keep up with news of CSO, CISO, and other senior security executive appointments. By CSO Staff Dec 08, 2023 28 mins CSO and CISO CSO and CISO CSO and CISO news Top cybersecurity product news of the week New product and service announcements from Coro, Descope, Genetec, Varonis, Cloudbrink, Databarracks, and Security Journey By CSO staff Dec 07, 2023 22 mins Generative AI Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe