ReversingLabs' Jasmine Noel switched it up a bit at RSA Conference with her "Software Supply ChainSecurity Is No Game, Or Is It?" presentation, and made it an interactive experience for those watching. Her game-show for attendees made it fun, but also covered key information on the state of software supply chain security from ReversingLabs’ recent survey of 300 global IT and security professionals.
Here are some of those question posed to the audience from that survey.
[ Get key takeaways from a survey of 300+ security professionals on software security. Plus: Download the report: Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks ]
Question 1: What software supply chain risk is the biggest concern for software companies today?
The answer: software vulnerabilities. Noel highlighted that this survey finding made sense when looking back on the impact of Log4j, which made the industry more aware of the risks associated with software vulnerabilities. To continue, she asked attendees what percentage of organizations can actually detect software tampering, another major supply chain risk.
An audience member guessed the answer correctly: only (37%) of software-publishing organizations can actually detect tampering. Pushing on tampering further, Noel asked a follow up: How many of these organizations who do check for tampering, check after the build process is complete? Attendees, unable to correctly answer the question, were stunned to learn that roughly half of these organizations do not check after the build.
Question 2: What are the top reasons organizations use SBOMs?
Moving on from direct supply chain risks, Jasmine discussed the importance of utilizing Software Bills of Materials (SBOMs) in the fight to secure software. She again tapped into the findings of our survey to quiz the attendees on their knowledge of the state of SBOMs. First, she asked the audience what the top reasons are for why organizations use SBOMs.
Attendees guessed correctly: Wanting to discover if risks are present in a software product, as well as wanting to follow best practices.
Question 3: Why are many organizations still not generating and reviewing SBOMs?
Next, Noel asked attendees why many organizations still are not generating and reviewing SBOMs, despite all of the attention given to them, by the Feds and beyond.
The answer: A general lack of internal expertise and staffing to get the job done properly. Finally,
Question 4: Which SBOM components are reviewed most?
Jasmine tested attendees on what components of an SBOM are reviewed the most. A number of members in the audience correctly answered, saying that both internally developed components along with open source components are the key factors for most organizations when reviewing an SBOM.
The real prize: Understanding the risk of software supply chain attacks
The folks who answered Noel’s questions were rewarded with prizes, making for a true game show experience. But there is no question of whether software supply chain security is a game or not.
From the look of these survey findings… it definitely isn’t. It’s clear that the industry as a whole is lacking in its ability to secure software, and needs modern day solutions to solve this ever growing concern. To learn more about the state of software security, check out ReversingLab's new report on the recent survey.
ReversingLabs offers innovative solutions that meet the needs of the software industry. If you would like to learn more about how we aid organizations’ software assurance strategies, check out secure.software, our modern-day solution to tackling software supply chain risk. We are now offering early access to the full launch of this solution, so be sure to talk with us to get all of the benefits this solution could bring your organization.
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.