As CI/CD pipelines have become an increasingly popular attack vector, 2021 saw a huge rise in software supply chain attacks. With their number more than tripling in the past year, securing the software delivery process is one of the most urgent needs. In our latest study, we examine the top supply chain security threats that should be on your radar in 2022 and provide recommendations on how to best protect against them.
Software supply chain security in 2021: What did we learn?
Over the past six months, we at Argon analyzed dozens of customer security assessments to understand the state of enterprise software supply chain security. Here are the key things we’ve learned.
Supply chain attacks increased by more than 300%
Modern development pipelines are complex automated environments, with a wide variety of CI/CD tools used to build applications. On top of that, developers commonly repurpose chunks of open source code, and each software project might rely on dozens or even hundreds of open source dependencies.
This makes the software supply chain a prime target for attacks. Since the SolarWinds and CodeCov incidents, supply chain attacks have been rapidly increasing in number and sophistication. According to our estimation, in 2021 they grew by an overwhelming 300% compared with 2020. The real number is likely even bigger, given that not every attack gets reported or detected.
The top supply chain security threats
Targeting the components of the software supply chain allows adversaries to compromise more victims at once and achieve widespread distribution of malicious code. To breach a software supplier and conduct a successful attack through the development pipeline, many different attack vectors are used.
Our study showed that in 2021, attackers focused their efforts on:
- Exploiting open source vulnerabilities
- Poisoning widely used open source packages
- Compromising CI/CD tools and code integrity
- Manipulating the build process
The level of security across dev environments remains low
In every development environment we examined, we found a wide array of critical misconfigurations and vulnerabilities in the pipeline tools, which reduced the overall security posture of the environment. The alarming number of issues illustrates the lack of adequate controls that organizations have in place to prevent supply chain attacks.
Teams don’t have visibility into the supply chain risk, and the adoption of security tools designed to protect the build process in the CI/CD pipeline is fairly limited in most organizations. In addition, established agile and DevOps practices prioritize rapid commits and deployments, putting security controls in place too late to prevent malicious activity.
Increased focus on supply chain security across the community
The good news is that we’re seeing growing awareness in the security community and on the government level about the supply chain risks. Initiatives such as Google’s Supply-chain Levels for Software Artifacts (SLSA) and the Cloud Native Computing Foundation’s Supply Chain Security Forum promote awareness and help set standards and guidelines for a secure software development life cycle.
Dive into the full report
Despite all the progress over the past year, the software supply chain security risks and exposures are still very real. Given the barrage of supply chain attacks that we witnessed in 2021, security and DevOps teams must prioritize protecting the complex system that makes up a modern software supply chain.
For more insights into software supply chain security trends, explore the full 2021 Software Supply Chain Security Report.