so their BS detector is not entirely off
Ask 1,000 CIOs whether they believe their organizations are vulnerable to cyberattacks targeting their software supply chains and about 82 percent can be expected to say yes. Security biz Venafi engaged research firm Coleman Parkes to put that question to as many corporate IT leaders from the US, UK, France, Germany, Austria, …
Tuesday 31st May 2022 20:05 GMT Anonymous Coward
This does not sound like there's a "one shot" solution......
Quote: "....organizations are vulnerable to cyberattacks targeting their software...."
Not sure that I understand the point of this article.
1. Megacorp buys software from supplier X.
2. Megacorp installs said software.
3. CIO of Megacorp starts to wonder about the security of said software.
4. CIO of Megacorp asks development director at supplier X "How can you be sure that your software does not compromise the security of Megacorp?"
5. Supplier X does an audit of the software used for development at supplier X.....the list of third party software is very long.
6. Supplier X asks each third party vendor "How can you be sure that your software does not compromise the security of Supplier X?"
....and so on for each third party vendor......and then for the suppliers who supply the third party vendor..........
My conclusion: Megacorp can never be certain about supplier X!!!
Megacorp also have the same problems as supplier X....with internal development processes.
....and it's probably worse than that......software versions everywhere seem to change regularly!!
This post has been deleted by a moderator
Tuesday 31st May 2022 23:37 GMT OhForF'
"more code signing in CI/CD build pipelines"
How does this work for all the packages that form the software supply chain, do you get the random developer in nebraska to sign his package for you?
Or will some in house developer be charged with verifying the package does not contain a security risk and signs it with his key for each and every update?
What happens to the developer if a security risk is found in a package that was signed off?
Good luck on getting the bean counters to allow the expense of getting someone with the necessary skills to do that on a regular basis.
Done right it would be a big step in securing the software supply chain, but most companies won't be able to afford that.
I doubt it happens anywhere but in the most security sensitive setups.