Open-source software (OSS) holds a pivotal and significant position in modern application development, serving as a cornerstone of the software supply chain. However, its widespread integration into commercial applications poses challenges in tracking and managing potential risks.
Naturally, the screening and vetting of OSS emerge as essential components of any software supply chain security initiative. But what is the current state of software supply chain security?
Software supply chain security
Firstly, OSS has emerged as a primary target for cyberattacks. In fact, 9 out of 10 companies have detected software supply chain threats, with 70% admitting that their current solutions are inadequate. While open source attacks are the “path of least resistance” for many threat actors, attacks on commercial and proprietary software are also on the rise.
Threat actors exploit the challenge organisations face in keeping track of their OSS, leading to persistent supply chain attacks that affect software providers, businesses and consumers. These attacks, whether through exploiting OSS vulnerabilities or injecting malicious code, result in compromised user data and strained business relationships. The 2024 Open Source Security and Risk Analysis Report highlights the extent of this issue, revealing that 84% of scanned codebases in 2024 contained an OSS vulnerability, with 74% posing high-risk vulnerabilities. Despite the prevalence of these vulnerabilities, organisations often fail to adequately address or overlook them entirely.
Rising threat levels
Recent years have witnessed prominent vulnerabilities like Log4J, Curl, Apache Struts, and OpenSSL which have all led to a variety of operational damage. These highlight the severe impact posed to organisations when a single weakness within the software supply chain is exploited.
The most prolific supply chain attack was SolarWinds. Due to lax security practices, a former intern inadvertently exposed a critical internal password. By exploiting this vulnerability, hackers gained access to SolarWinds’s systems which were responsible for assembling updates to one of its core products called Orion. The attackers implanted malicious code into a legitimate software update, allowing them to clandestinely monitor and identify running processes involved in Orion’s compilation. They then manipulated source files to include the SUNBURST malware which compromised Orion’s updates and impacted 18,000 SolarWinds customers. As a result, the attackers obtained sensitive information while locating further targets to spread the malware. The ultimate targets were multiple steps removed from the initial breach. This underscores this vulnerability incident as a prime example of the serious impact of modern software supply chain attacks.
Presently, more sophisticated supply chain attacks involve the insertion of malware and malicious packages into the software development life cycle (SDLC), effectively transferring risks to end users. These attacks succeed due to the implicit trust placed in third-party software during organisational software development.
Organisations must broaden their approach to addressing software supply chain security, gaining comprehensive visibility into all application dependencies and enhancing their capability to identify modern risks beyond OSS vulnerabilities. While historically challenging, addressing these concerns is now more feasible than ever before.
Comprehensive open-source discovery
With the majority of software supply chain made up of open source software, failure to properly track and manage it equates to a glaring gap in any risk management strategy. Additionally, any required Software Bill of Materials (SBOM) will mandate that all OSS dependencies be listed.
Therefore, security teams within organisations should adopt tools that can easily identify all open source components using a combination of dependency, snippet, binary and container analysis to surface these all, regardless of language or package manager because this will provide the most comprehensive view of the OSS available.
Most commercial and enterprise software teams use third-party code from an outside vendor. Although security teams can perform their analysis of these third-party artefacts, it is much easier if the software vendor provides their own SBOM. There are tools available that will assist security teams in importing external SBOMs and automatically catalogue the open source, commercial, and custom components contained within them. This helps expand software supply chain visibility beyond just open source dependencies and analyse all dependencies for risk.
Attackers are getting more devious, injecting malicious packages and malware into open source ecosystems, and even directly into applications, making it possible to compromise build environments.
Catching this type of malware requires a specialised form of analysis that modern tools incorporate. Moreover, having continuous risk identification and monitoring capabilities are essential because even though something is secure when it enters the SDLC does not mean it will remain secure further down the development pipeline. Having the capability to analyse dependencies in both generated and imported SBOMs is vital to monitor for open-source vulnerabilities, secrets, malware and malicious packages.
“Comprehensive” supply chain security
Achieving comprehensive security across the software supply chain necessitates a deep understanding of its entirety and the establishment of a robust system for continuous monitoring, vulnerability testing and prompt remediation.
Open-source software, while offering numerous benefits such as enhancing critical software applications and enriching customer experiences, also poses inherent risks.
Safeguarding your organisation against these risks demands a coordinated approach, facilitating the identification, monitoring, and analysis of code content. Leveraging appropriate tools and technologies will dramatically reduce the risk of your organisation suffering a software supply chain attack.
- Digital Supply Chain
- Risk & Resilience