SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Organisations battle AI risks amid rise in supply chain attacks

Fri, 17th May 2024

More than half of global organisations have experienced a software supply chain attack in the past twelve months, according to a new report by Synopsys and the Ponemon Institute. Notably, half these organisations spent over a month formulating a response to the attack, whilst a fifth of them admitted to being ineffective in detecting and responding to such threats.

The report, titled 'The State of Software Supply Chain Security Risk', further revealed that Artificial Intelligence (AI) is increasingly being used in the process of software development. It found that 52% of the security professionals surveyed said their development teams utilise AI tools to generate code. OpenAI Codex was used by 50% of respondents, followed by ChatGPT at 45%, and GitHub Copilot at 43%.

However, a worrying observation from the survey is the lack of protective measures being put in place by organisations utilising AI. A mere 32% of the respondents said that they have processes in place to evaluate AI-generated code for risks such as licensing, security, and quality. Additionally, critical aspects like strict vetting of AI-generated code and a formal evaluation of the training data used to train AI still appear to be largely overlooked by many entities.

The report elaborates on what it referred to as "AI data poisoning attacks" where bad actors could feed AI tools with harmful, malware-embedded code. As AI systems rely on datasets for training, an impure dataset could result in potentially disastrous consequences.

Jason Schmitt, general manager, Synopsys Software Integrity Group, emphasised the prevalent weaknesses in existing software development processes and security standards. He stated, "Attackers are getting more sophisticated and thus finding more weaknesses that allow them to explore a supply chain where they can steal sensitive data, plant malware, and control systems. Particularly with the rise of AI-generated code, security teams need to maintain visibility into applications and continuously evaluate IP, security threats, and code quality to reduce risk."

Lack of sufficient resources dedicated to securing the supply chain was cited by 38% of security professionals as a primary concern. This lack of support from organisational leaders and the related safety risks it potentially carries is giving rise to a significant vulnerability in the software development field.

The increased use of AI and the emerging new forms of threats may necessitate stronger cross-organisational collaboration and more refined tactics to mitigate risks. Otherwise, the trajectory of the current situation points towards a continual rise in software supply chain attacks.

The survey was conducted with 1,278 IT and IT security practitioners from North America, EMEA, and Japan who are committed to achieving a secure software supply chain and have some responsibility for their organisation's software supply chain security strategy.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X