Lineaje, a top software supply chain security management provider, has released critical findings from their recent research conducted at RSA Conference 2024. The survey of over 100 security professionals has revealed significant deficiencies in preparedness and awareness regarding software supply chain security regulations.
According to the survey, a mere 20% of companies affected by the U.S. Cybersecurity & Infrastructure Agency’s (CISA’s) Secure Software Development Attestation Form are prepared for the compliance deadline of June 11, 2024. This form, a mandate under Executive Order (EO) 14028, requires software producers working with the U.S. government to confirm the implementation of essential security practices.
In the past year, software supply chain attacks in the U.S. surged, impacting over 2,700 organizations, the highest number reported since 2017. This 58% increase underscores the critical need for adherence to EO 14028. Non-compliance with this executive order can lead to severe repercussions, including legal and financial penalties, heightened vulnerability to cyberattacks, and significant damage to an organization's reputation.
Despite the urgency, 84% of respondents reported that their companies have not integrated Software Bills of Materials (SBOMs) into their development processes, a requirement mandated by EO 14028 since May 2021. This gap indicates a disconnect between federal cybersecurity initiatives and their execution in the industry.
“Executive Order 14028 urges organizations working with government agencies to modernize their security protocols, including generating SBOMs and attestation to secure development practices, which is viewed as a major leap forward for national cybersecurity,” stated Katie Norton, Research Manager at IDC. “However, most organizations are unaware of their exposure and are inadequately protected, leaving them prone to supply chain attacks.”
The survey highlights additional concerning trends:
Lack of Awareness: 65% of security professionals surveyed had never heard of EO 14028, and half of those familiar with it were unaware of its specific requirements.
Primary Concerns: Security vulnerabilities top the list of concerns for 56% of respondents, followed by compliance regulations at 22%.
Open-Source Software Risks: While nearly 60% of respondents’ companies use open-source components, only 16% could confidently state that their open-source software is secure. Additionally, only a slight majority (56%) have the tools to identify and mitigate risks associated with these components.
Resource Constraints: Budget limitations (45%) and staffing shortages (36%) are significant barriers to enhancing software supply chain security, explaining the lag in compliance and tool adoption.
"The efforts of the federal government to safeguard our software supply chain are laudable—but it's clear that awareness has fallen short," remarked Javed Hasan, CEO and co-founder of Lineaje. "While businesses can't build without open-source software, they also can't survive long-term if that same open-source software is riddled with security vulnerabilities. Software vendors and cybersecurity professionals need to educate themselves and take immediate action on the upcoming compliance deadlines to protect their organizations and contribute to enhancing the nation's overall cybersecurity posture.”
As the June 2024 deadline approaches, it is imperative for organizations to elevate their security protocols, invest in necessary tools, and stay informed about regulatory requirements to mitigate the risks posed by software supply chain vulnerabilities.