A software supply chain cyberattack involves infiltrating an organization's software supply chain to compromise the software itself, or its development processes. Unlike traditional cyberattacks, which target a company's defenses directly, these attacks exploit vulnerabilities in third-party software components and libraries used by the organization. By compromising a single software supplier, attackers can potentially gain access to the networks of multiple organizations that use the affected software, creating a cascading effect of security breaches.
The Growing Software Supply Chain Threat Landscape
The threat landscape for software supply chain attacks is becoming increasingly dire. According to various reports and studies, including the NetRise Supply Chain Visibility and Risk Study, the frequency and severity of these attacks are escalating at an alarming rate. This is illustrated by findings that include:
- Gartner: "Software supply chain attacks have seen triple-digit increases, but few organizations have taken steps to evaluate the risks of these complex attacks1."
- Ponemon Institute: "Fifty-nine percent of organizations in this research have been impacted by a software supply chain attack or exploit, and 54 percent of these respondents say the attacks happened in the past year2."
- Sonatype's State of the Software Supply Chain Report: "There has been an astonishing 742 percent average annual increase in software supply chain attacks over the past 3 years3."
These statistics underscore the urgent need for organizations to develop, at a minimum, comprehensive visibility into the software and software components and dependencies used within their organization. Quite simply, you cannot secure what you do not see. Comprehensive software visibility is the starting point for any robust software supply chain security strategy.
Why Supply Chain Attacks Are Increasing
Several factors contribute to the increasing prevalence of software supply chain attacks, including:
- More Informed Cyber Attackers. Attackers are becoming more sophisticated and better informed about the software components and libraries that organizations use. This knowledge allows them to identify and exploit vulnerabilities more effectively. Combine this with the lack of visibility most enterprises have into their software stacks, and we conclude that, by and large, the cyber-attackers are better informed than the enterprises they look to attack.
- Lack of Software Visibility. Again, the majority of organizations lack detailed visibility into their software components and dependencies. They have no software asset inventories or software bills of materials. And without this detailed knowledge of the software stack, software vulnerabilities go undetected and unaddressed, providing attackers with relatively easy entry points.
- Single Attack Vector, Multiple Targets. Supply chain attacks offer a high return on investment for attackers. By compromising a single software supplier, they can potentially gain access to multiple organizations that use the affected software, amplifying the impact of their attack and their investment in developing the attack.
- Increased Use of Third-Party and Open-Source Components. The widespread use of third-party and open-source software components in modern applications increases the attack surface. These components often contain vulnerabilities that can be exploited if not properly managed.
- Network Accessibility of Vulnerabilities. Many software vulnerabilities are easily accessible over the network, making it easier for attackers to exploit them. The recent NetRise Supply Chain Visibility and Risk Study into 100 networking equipment devices found that there were, in aggregate, 2,022 weaponized vulnerabilities and 667 vulnerabilities that were network accessible. That’s an average of seven vulnerabilities per device that are both weaponized and network accessible.
Software supply chain attacks pose significant challenges for enterprises, including being proactive. The most recent NetRise study found that the detailed Software Analysis uncovers 243.4 times more vulnerabilities than the more traditional approach of network-based asset scanning. So, if enterprises are completely unaware of most of the software vulnerabilities, it is going to be impossible to proactively address them. Additionally, without an inside-out analysis of the compiled code, companies will simply be blind to most of their software vulnerabilities. That makes these software supply chain cyber-attacks difficult to detect until it’s far too late.
Responding to and remediating software supply chain attacks is also challenging because enterprises, as well as the software producers themselves, have no consistent method for pinpointing where the exploited vulnerabilities exist. This lack of knowledge hampers effective response efforts and prolongs exposure.
Steps to Protect Against Supply Chain Attacks
To address these challenges, organizations must prioritize achieving comprehensive software visibility. The findings from the NetRise study underscore the critical importance of having a detailed understanding of all software components within the supply chain. Here are some basic steps companies should consider:
- Generate comprehensive SBOMs. Creating detailed software bills of materials (SBOMs) is the foundation of effective supply chain security. SBOMs provide a clear inventory of all software components, including third-party libraries and dependencies. This inventory is essential for identifying and managing risks effectively.
- Implement automated software risk analysis. Traditional network-based vulnerability scanners often underreport vulnerability information. By augmenting these scans with detailed software risk analysis methods, companies can uncover a much more complete risk picture, ensuring a more thorough risk assessment. Automated tools can help generate and analyze SBOMs, providing continuous and up-to-date visibility.
- Prioritize risk management. Once comprehensive visibility is achieved, organizations should prioritize vulnerabilities based on factors beyond CVSS scores, such as weaponization and network accessibility. This approach ensures that the most critical threats are addressed first. Feeding this vulnerability information into existing security operations center (SOC) tools ensures it is widely available and actionable.
- Continuous monitoring and updating. Supply chain security is not a one-time effort. Continuous monitoring of software components is essential to stay ahead of emerging threats. Companies should establish processes for ongoing vulnerability assessment and remediation, ensuring that their software inventory is always current, and risks are continuously managed.
The increasing wave of software supply chain cyber-attacks highlights the critical need for organizations to adopt comprehensive and proactive security measures. By prioritizing software visibility, generating comprehensive SBOMs, implementing automated risk analysis, and maintaining continuous monitoring, organizations can build a strong foundation for their software supply chain cybersecurity efforts.
1. Mitigate Enterprise Software Supply Chain Security Risks, 31 October 2023, Gartner.
2. The State of Software Supply Chain Security Risks, Prepared by Ponemon Institute, Sponsored by Synopsis, May 2024.
3. 8th and 9th Annual State of the Software Supply Chain, Sonatype.