Software Supply Chain Security Threats: 2021 in Review

Software Supply Chain Attacks: 2021 in Review

As CI/CD pipelines have become an increasingly popular attack vector, 2021 saw a huge rise in software supply chain attacks. With their number more than tripling in the past year, securing the software delivery process is one of the most urgent needs. In our latest study, we examine the top supply chain security threats that should be on your radar in 2022 and provide recommendations on how to best protect against them.

Software supply chain security in 2021: What did we learn?

Over the past six months, we at Argon analyzed dozens of customer security assessments to understand the state of enterprise software supply chain security. Here are the key things we’ve learned.

Supply chain attacks increased by more than 300%

Modern development pipelines are complex automated environments, with a wide variety of CI/CD tools used to build applications. On top of that, developers commonly repurpose chunks of open source code, and each software project might rely on dozens or even hundreds of open source dependencies.

This makes the software supply chain a prime target for attacks. Since the SolarWinds and CodeCov incidents, supply chain attacks have been rapidly increasing in number and sophistication. According to our estimation, in 2021 they grew by an overwhelming 300% compared with 2020. The real number is likely even bigger, given that not every attack gets reported or detected.

Software Supply Chain Attacks report

The top supply chain security threats

Targeting the components of the software supply chain allows adversaries to compromise more victims at once and achieve widespread distribution of malicious code. To breach a software supplier and conduct a successful attack through the development pipeline, many different attack vectors are used.

Our study showed that in 2021, attackers focused their efforts on:

  • Exploiting open source vulnerabilities

  • Poisoning widely used open source packages

  • Compromising CI/CD tools and code integrity

  • Manipulating the build process

The level of security across dev environments remains low

In every development environment we examined, we found a wide array of critical misconfigurations and vulnerabilities in the pipeline tools, which reduced the overall security posture of the environment. The alarming number of issues illustrates the lack of adequate controls that organizations have in place to prevent supply chain attacks.

Teams don’t have visibility into the supply chain risk, and the adoption of security tools designed to protect the build process in the CI/CD pipeline is fairly limited in most organizations. In addition, established agile and DevOps practices prioritize rapid commits and deployments, putting security controls in place too late to prevent malicious activity.

Increased focus on supply chain security across the community

The good news is that we’re seeing growing awareness in the security community and on the government level about the supply chain risks. Initiatives such as Google’s Supply-chain Levels for Software Artifacts (SLSA) and the Cloud Native Computing Foundation's Supply Chain Security Forum promote awareness and help set standards and guidelines for a secure software development life cycle.

Dive into the full report

Despite all the progress over the past year, the software supply chain security risks and exposures are still very real. Given the barrage of supply chain attacks that we witnessed in 2021, security and DevOps teams must prioritize protecting the complex system that makes up a modern software supply chain.

Argon Demo Request

For more insights into software supply chain security trends, explore the full 2021 Software Supply Chain Security Report.

 
Picture of Eran Orzel

Eran Orzel

Eran is Chief Customer and Revenue Officer and founding member of Argon Security, the leader in software supply chain security. Prior to joining Argon, he held several roles at Check Point Software Technologies, most recently as the Global Head of Strategic Sales and Partnerships, where he led and played a significant role in the rapid growth of Check Point’s major business growth engines. Eran is an experienced and innovative business leader with over 20 years of experience in sales leadership and go-to-market operational roles in cybersecurity and enterprise software.

Supply Chain Attacks, Software Supply Chain Security

Subscribe to Email Updates

Popular Posts

Filter by Topic

Show more...