Survey finds significant jump in software supply chain attacks after Log4j exposed. Credit: Thinkstock More than three in five companies were targeted by software supply chain attacks in 2021, according to a recent survey by Anchore. The survey of 428 executives, directors, and managers in IT, security, development, and DevOps found that the organizations of nearly a third of the respondents (30%) were either significantly or moderately impacted by a software supply chain attack in 2021. Only 6% said the attacks had a minor impact on their software supply chain.The survey bracketed the discovery of the vulnerability found in the Apache Log4 utility. Researchers conducted the survey from December 3 to December 30, 2021. Log4j was revealed December 9. Before that date, 55% of respondents said they had suffered a software supply chain attack. After that date, that number jumped to 65%.“That means there were brand new people who had not experienced a supply chain attack before Log4j, and that there were people who had experienced an earlier attack but were seeing a stronger impact after Log4j,” says Kim Weins, senior vice president at Anchore.Tech companies hit harder by software supply chain attacksThe survey also found more tech companies were significantly impacted by software supply chain attacks (15%), compared to other industries (3%). “Tech companies potentially create ROI for the bad actors,” Wein says. “If an attacker can get into a software product and that software product is delivered to thousands of other people, they now have a foothold in thousands of other companies.” Supply chain security also appears to be grabbing mindshare in many organizations, with 54% of respondents pegging it as a top or significant area of focus. Interest among mature container users was even higher, with 70% declaring supply chain security a top or significant focus for them.“The number of dependencies that you have to pay attention to goes up with containers and cloud-native deployments,” Weins says. “So, as people get more mature with containers, they recognize that they have to pay attention to all those extra attack surfaces created by those dependencies.” SBOM critical for securing the software supply chainWhile protecting the software supply chain appears to be top-of-mind for many respondents, the report noted, few are incorporating software bills of materials (SBOMs) into their security postures. For example, less than a third of respondents are following SBOM best practices and only 18% have a complete SBOM for all their applications.“We believe that SBOM is a critical foundation for securing the software supply chain because it provides you with the visibility into what software you’re actually using,” Weins says.An SBOM can also help speed up the response time of a security team when vulnerabilities are discovered. “Without an SBOM, the timeline for fixing those vulnerabilities can stretch into months or years,” notes Sounil Yu, CISO of JupiterOne, an asset management and governance solutions company.“Without SBOMs, customers invest in black box solutions, resulting in a lack of awareness of all the components used in a product or service,” adds Rick Holland, CISO at Digital Shadows, a provider of digital risk protection solutions.Weins maintains that SBOM is going to be a must-do for 2022. “It’s becoming obvious to everybody that software security starts with understanding what you have—a complete list of components—and then using that to check for security before you deliver software. Then you need to continuously monitor the security of software after it has been deployed.” Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe