Software companies struggle to improve build security

Nearly all (97%) IT executives believe that software providers need to improve the security of their software build and code signing processes, according to research from Venafi.

A survey of more than 1000 IT professionals, including 193 executives with responsibility for both security and software development, also found that 96% of executives believe software providers should be required to guarantee the integrity of the code in their software updates.

Meanwhile, 94% of executives believe there should be clear consequences for software vendors that fail to protect the integrity of their software build pipelines.

The report identifies that executives are much more concerned about software supply chain attacks in light of the recent SolarWinds attack. But within their own software development organisations, executives are split on who is responsible for security improvements, with 48% nominating IT security and 46% naming development teams.

Meanwhile, 66% of executives say their company has not increased the number of questions they are asking software providers about the processes used to assure the security of their software and verify code in the wake of the attacks, and 55% of executives report that the hack has little or no impact on the concerns they consider when purchasing software products for their company.

Venafi head of content strategy Scott Carter said these findings suggest an overall lack of understanding among executives about how to evaluate the security of software.

“Most executives may simply not have access to the criteria that their teams need to evaluate the security of software that they will purchase or use within their organisation,” he said.

“In response to that void, Venafi has teamed up with Veracode with support from Sophos and Cloudbees to define a vendor-neutral map of standard controls. These diverse controls dramatically reduce risk and align with agile, high-performance software development pipelines.”

These controls range from using application security testing to identify serious security issues during the build process, to restricting administrative access to authoring tools, to requiring commits to be signed with a developer key.

Organisations should also seek to ensure that automation access is read only and that automation keys expire automatically, ensure that only dependencies from trusted registries can be used and require two code reviewers and a passing build before pull requests are merged, according to Carter.

Image credit: ©stock.adobe.com/au/maciek905