Venafi Survey: Execs Say Companies Negligent in Protecting Security Software Build Environments Should Face Clear Consequences

However, the C-suite is not demanding greater software supply chain assurance from vendors

SALT LAKE CITY--()--Venafi®, the inventor and leading provider of machine identity management, today announced survey results highlighting the challenges of improving software supply chain security. The survey evaluated the opinions of more than 1,000 IT and development professionals, including 193 executives with responsibility for both security and software development, and revealed a glaring disconnect between executive concern and executive action. While 94% of executives believe there should be clear consequences (fines, greater legal liability for companies proven to be negligent) for software vendors that fail to protect the integrity of their software build pipelines, most have done little to change the way they evaluate the security of the software they purchase and the assurances they demand from software providers.

According to ENISA, supply chain attacks, such as SolarWinds, Codecov and Kaseya, are expected to increase by a factor of four in 2021. Executives are clearly much more concerned about their vulnerability to software supply chain attacks and aware of the urgent need for action. However, the survey results show that they are not taking action that will drive change.

Key findings include:

  • 97% of executives believe that software providers need to improve the security of their software build and code signing processes.
  • 96% of executives think that software providers should be required to guarantee the integrity of the code in their software updates.


  • 55% of executives report that the SolarWinds hack has had little or no impact on the concerns they consider when purchasing software products for their company.
  • 69% of executives say their company has not increased the number of questions they are asking software providers about the processes used to assure the security of their software and verify code.
  • Within their own organizations, executives are split on who is responsible for improving the security within their own software development organizations, with 48% saying IT security is responsible and 46% saying development teams are responsible.

“There is a clear disconnect between concern about supply chain attacks and improving security controls and processes to mitigate this risk,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “Executives are right to be concerned about the impact of supply chain attacks. These attacks present serious risks to every organization that uses commercial software and are extremely difficult to defend against. To address this systemic problem, the entire technology industry needs to change the way we build and buy software. Executives can’t treat this as just another technical problem—it’s an existential threat. C-level executives and boards need to demand that security and development teams for software vendors provide clear assurance about the security of their software.”

Additional Resources:

Read the blog.

About Venafi

Venafi is the cybersecurity market leader in machine identity management, securing machine-to-machine connections and communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, SSH, code signing, mobile and IoT. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise—on premises, mobile, virtual, cloud and IoT—at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.

With more than 30 patents, Venafi delivers innovative solutions for the world's most demanding, security-conscious Global 5000 organizations and government agencies, including the top five U.S. health insurers; the top five U.S. airlines; the top four credit card issuers; three out of the top four accounting and consulting firms; four of the top five U.S. retailers; and the top four banks in each of the following countries: the U.S., the U.K., Australia and South Africa.

For more information, visit:


Shelley Boose


Shelley Boose