By Anton Ivanov
Chief Technology Officer, Kaspersky
Digital transformation, that’s been boosted by the pandemic, has reached an unprecedented scale, with IDC expecting its global spending to reach $2.8 trillion within three years. Companies shifting their businesses online inevitably led to an increased adoption of digital products and a surge in IT expenditure. According to rough estimates, an average organization used about 110 different software-as-a-service applications in 2021. In comparison, that figure stood at 16 just five years ago. It’s clear that we are currently in a stage of high software consumption. What isn’t clear though is whether it has already peaked or if the peak is yet to come.
From a cybersecurity perspective, a business’ reliance on numerous types of software is a big issue as threat actors can benefit from the expanded attack surface. A recent global survey of over 400 companies showed that 98% of organizations were concerned about the security of their software. However, there isn’t much that they can do about it, aside from diligently patching their software as soon as updates are available.
However, on a level of mature enterprise, sustainability of IT infrastructure that includes various types of software depends on how much we know about each solution and our visibility into them. IT products are developed with extensive use of various open source libraries and elements sourced from third parties. With dozens and hundreds of software solutions in use, this means that achieving a high level of visibility is extremely challenging. Without clear security requirements for evaluating software security and promoting greater transparency, the cyber domain is likely to remain under limited control.
One of the concepts aimed at streamlining the connections across software supply chains is Software Build of Materials (SBOM). Borrowed from manufacturing, where the “Build of Materials” represents a list of items used in a product, SBOM is a de facto list of components that make up a software, containing comprehensive information and describing the relationships between each element. By having SBOMs in place, businesses have more chances of coping with security vulnerabilities and cybersecurity risks in a prompt manner by employing automation tools which can track newly identified flaws across them all.
In the fall of 2021, as part of its transparency efforts, Kaspersky made its SBOMs available at the company’s Transparency Centers. These centers primarily serve as facilities for the review of the company’s code, software updates, threat detection rules and other technical and business processes. Along with measures implemented by Kaspersky as part of its Global Transparency Initiative (GTI), the inclusion of SBOMs aims to empower our customers and partners with the information on how exactly our products are designed, what components they are made of, and how they operate. In doing this, our key goal is to ensure greater visibility into our solutions, our work and to give firm assurance in the security and integrity of our products.
Despite the fact that regulators and private players have praised the SBOM concept as crucial for ensuring sustainable and safe software use, fresh statistics show that fewer than a half of software developers use SBOMs to some extent today. On top of that, a mere 18% of companies use SBOMs across all segments of their business or have established practices that include the use of SBOMs.
The situation could potentially change in the near future as some governments can start considering SBOMs a necessary measure to enhance risk management in supply chains. The first being the US where, after the SolarWinds incident, SBOM has been promoted at a government level to become a wide-industry effort. Hopefully, the SBOM concept for software transparency will turn into an international effort.
Speaking of clear security requirements for software security, the European Union has also started a wider discussion on a legal framework that would bring together cybersecurity rules for digital products and services. It is likely that other governments will follow the EU’s lead, ensuring software vendors place adequate cybersecurity safeguards in their solutions, effectively respond to vulnerabilities throughout their products’ lifecycle, and systematically provide information on the product’s security. All these measures, while requiring greater transparency from software manufacturers, have the potential to enhance the security of products and build public trust in the digital economy.
For Kaspersky, the security of our users and customers is our first and foremost priority. The trust of our customers has always been seen as indispensable, and that’s why we make every effort to provide them with as much visibility into our work as possible. In 2017 we launched our GTI which was aimed at further strengthening our relationships with our partners and customers by boosting their assurance and trust in our solutions and services. We continue to develop and strengthen this initiative, for example, we have recently successfully renewed our SOC 2 audit for the protection of the development and the release process of our antivirus basis by a Big Four firm.
The industry developments that we see today indicate that transparency is achieving greater prominence: this is reflected by developments within the industry and various governments’ increasing their attention to greater security and integrity of software. Kaspersky, for its part, will seek to deliver solid support for this trend, making further continued investment in digital trust and transparency.