Software supply chain security is coming of age

But who is responsible for identifying and solving problems?

Coalfire’s first Securealities Software Supply Chain Risk Report revealed dramatic budget increases for enterprise security in general and a growing demand for more testing, training, and process improvements in the battle to defend digital assets. But perhaps the most significant takeaway from the report is the rise in executive-level risk awareness of the need to secure software development lifecycles and supply chains. With more than half of respondents now “very” or “extremely” concerned, we’re at a historic tipping point in mainstreaming corporate cyber consciousness around these relatively newly-appreciated attack vectors.

How did this happen so fast? Already in high gear with cloud migration, the phenomenon accelerated following Solar Winds and other high-profile breaches. Since then, managing software supply chain risk has become a critical component of any application security program, and software developers and security teams are being held to higher standards as a result.

We accept the challenge

More management attention on cyber concerns is welcome news – but what are the new expectations, and who is responsible for raising today’s mission-critical SDLC and supply chain issues? Who takes charge in identifying and addressing these problems on the job and in real time?

Though 60% of software-buying organizations in the survey said that their security staff were the ones expected to raise red flags, growing C-level concern – now up to 51% - implies that it’s no longer just for technical security teams to worry about anymore. While progress is being made with the C-level, there is a lack of involvement from the VP level, indicating that there is work to be done on cascading security priorities down the chain of command. Even more interesting, for those organizations whose business is developing software, a significantly higher 70%+ say it’s their DevOps teams that are raising software supply chain security concerns and taking the lead on decision-making.

Of course, it’s in their wheelhouse and you would expect that security teams are going to be the ones most concerned about software supply chain security – and, honestly, I have some questions for the 30% of software developing organizations and the 40% of software buying organizations whose security teams aren’t the ones raising concerns about supply chain and development lifecycle exposure. It probably reflects a lack of maturity in those companies where security is still limited in scope and confined to focusing on traditional basics like access control and endpoint threats.

Despite software supply chain security being a relatively recent focus area, it’s going mainstream fast and security teams can no longer operate in a vacuum. This is especially true in the practice of application security where security teams must work together to influence and get the support and cooperation of other experts in areas such as product development, customer relations, and vendor management to be successful. Security teams have the domain expertise and risk management knowledge that are foundational to successful programs, but they need to draw on other parts of the organization to truly understand the risks and allocate the necessary resources.

That’s why it’s so encouraging to see C-level management, along with software developers, buyers, and sellers, taking such an interest in software supply chain security. This demonstrates that security teams are making progress and that other stakeholders are proactively addressing the issues and taking supply chain risk more seriously.

Money talks

Another finding from the research that provides additional cause for optimism is that organizations are dedicating more budget and thus placing more priority on security program management. Of those surveyed, 84% said that their organization would likely dedicate at least 5% of their application security budget to addressing supply chain security with fully 36% saying that they were likely to dedicate 10% or more of their budget to the issue.

If security teams are effectively collaborating with other departments and specialists and have budget allocated toward software supply chain protection, that puts these organizations in a position where they can address these risks in a more measurable and meaningful manner. Most companies and executive leadership teams surveyed are embracing creative strategies and tactics that enhance cyber visibility such as SBOMs and SLAs with their suppliers – everyone’s got customers who now demand digital integrity and security assurance with everything they buy.

In the past and all too often, security teams seemed to be left standing alone, trying to get their organizations to share their concerns about cyber risks that were difficult to understand, and even harder for ELTs to act upon. Getting more budget allocations, more product developers, and more non-securityplayers invested in addressing software security issues are steps in a very productive direction.

Given the increasing vulnerabilities along software supply chains, we believe the entire cyber industry is coming of age with heightened risk management maturity. Coalfire’s research shows that budgets and best practices are top of mind with corporate leadership, and organizations are taking security far more seriously. Cyber professionals are getting more divisions involved and more people working together, and executive leadership teams are allocating the resources required to assure partners, suppliers, and customers that they are safe bets to do business with.