Lineaje study also reveals that only 16% of respondents have implemented Software Bills of Materials into the development process–a critical component of EO 14028
Lineaje, a leader in continuous software supply chain security management, today released the results of research conducted at RSA Conference 2024, unveiling significant gaps in software supply chain security regulation preparedness and awareness.
The survey of over 100 security professionals found that just 20% of companies impacted by the U.S. Cybersecurity & Infrastructure Agency’s (CISA’s) Secure Software Development Attestation Form are prepared to meet the imminent compliance deadline of June 11, 2024. The form, part of Executive Order (EO) 14028, requires software producers who work with the U.S. government to adhere to and confirm the deployment of key security practices.
In 2023, software supply chain attacks in the U.S. impacted over 2,700 organizations, the highest reported on record since 2017. The number of affected companies grew by 58% in the past year, highlighting the importance of complying with EO 14028. Failure to comply with EO 14028 can have severe consequences, including potential legal and financial penalties, increased vulnerability to cyberattacks, and damage to an organization’s reputation.
Given the looming threats and consequences, it’s alarming that 84% of respondents’ companies have not implemented Software Bills of Materials (SBOMs) into their development process, despite EO 14028 making SBOMs mandatory in May 2021. These findings demonstrate that, in many cases, the federal government’s efforts to prevent cyber infiltration have yet to translate into real-world action.
“Executive Order 14028 urges organizations working with government agencies to modernize their security protocols, including generating SBOMs and attestation to secure development practices, which is viewed as a major leap forward for national cybersecurity,” said Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC. “However, most organizations are unaware of their exposure and are inadequately protected, leaving them prone to supply chain attacks. IDC research found 23% of organizations surveyed experienced a software supply chain attack, a 241% increase from the prior year, affirming Lineaje’s call to increase awareness and urgency among cybersecurity professionals.”
Additional findings include:
- Many security professionals simply are unaware of EO 14028. Despite potential penalties associated with non-compliance, Lineaje’s survey revealed that 65% of respondents have never heard of EO 14028. Meanwhile, roughly half of those familiar with it are unaware of its specific criteria.
- Vulnerabilities top the list of software supply chain woes. Security vulnerabilities were the top concern for 56% of respondents, followed by adhering to compliance regulations (22%).
- Security professionals have serious concerns about open-source software, but many lack the tools to identify and mitigate those concerns. Nearly 60% of respondents said their companies used open-source components in their software, but only 16% could confidently say the average open-source software is secure. While a slight majority (56%) claim to have the tools to identify and mitigate these components, nearly a quarter were unsure, and nearly 20% had no tools. Meanwhile, 66% of respondents’ companies have invested in tools to find and fix vulnerabilities within internally-built software.
- Budget and staff restrictions could be responsible for lagging compliance and tool adoption. When asked about current limitations for securing their companies’ software, the top responses included budget limitations (45%) and lack of staffing resources (36%), which may explain the slower uptake of software supply chain security measures.
“The efforts of the federal government to safeguard our software supply chain are laudable—but it’s clear that awareness has fallen short,” said Javed Hasan, CEO and co-founder, Lineaje. “While businesses can’t build without open-source software, they also can’t survive long-term if that same open-source software is riddled with security vulnerabilities. Software vendors and cybersecurity professionals need to educate themselves and take immediate action on the upcoming compliance deadlines to protect their organizations and contribute to enhancing the nation’s overall cybersecurity posture.”