Are you ready to bring more awareness to your brand? Consider becoming a sponsor for The AI Impact Tour. Learn more about the opportunities here.
The report found that the level of security across software development environments remains low, and every company evaluated had vulnerabilities and misconfigurations that can expose them to supply chain attacks. The study identified three primary areas of risk that companies should understand and address to improve software supply chain security.
Vulnerable package usage is one of the fastest-growing methods of carrying out a software supply chain attack. Two common attacks that leverage vulnerable packages are:
1) exploiting packages’ existing vulnerabilities to obtain access to the application and execute the attack, and;
The AI Impact Tour
Connect with the enterprise AI community at VentureBeat’s AI Impact Tour coming to a city near you!
2) planting malicious code in popular open source packages and private packages to trick developers or automated pipeline tools into incorporating them as part of the application build process.
Furthermore, compromised CI/CD pipeline can expose an application’s source code. This type of breach is difficult to identify and can cause significant damage if left undetected. Attackers can take advantage of privileged access, misconfigurations, and vulnerabilities in the CI/CD pipeline infrastructure, which provides access to critical IT infrastructure, development processes, source code, and applications. It enables attackers to change code or inject malicious code during the build process and tamper with applications.
Finally, code/artifact integrity was another one of the main risk areas identified. The upload of bad code to source code repositories directly impacts artifact quality and security posture. Common issues that were found in most customer environments were sensitive data in code, code quality and security issues, infrastructure as code issues, container image vulnerabilities and misconfigurations. Many issues that were discovered required time-intensive cleanup projects to reduce exposure.
Findings were based on a six-month analysis of customer security assessments conducted by Argon’s researchers to determine the state of enterprise security and readiness to defend against software supply chain attacks.
Read the full report by Argon Security and Aqua Security.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.