In episode 55 of the Cybersecurity Minute, Chris Hughes shares his major takeaways from a recent Synopsys cybersecurity report.
This episode is sponsored by Acceleration Economy’s Digital CIO Summit, taking place April 4-6. Register for the free event here. Tune in to the event to hear from CIO practitioners discuss their modernization and growth strategies.
00:35 — Synopsys has published its 2023 Open Source Security and Risk Analysis Report. Chris sees some interesting findings in it that don’t bode well for software supply chain security.
00:56 — To put what’s going on with software supply chain security in context, Chris reminds us of a report from Sonatype that said software supply chain attacks are up over 700% in the last three years. Other incidents including Log4j, Codecov, SolarWinds, and more have made the software supply chain a hot topic.
01:07 — Malicious actors have realized they can target a single organization, a single open-source software project or component, and have a massive downstream impact on thousands of organizations and millions of individuals.
01:18 — Synopsys did a security assessment of more than 1,700 different code bases. And what it found is alarming. It found that 89% of code bases contained open-source software that was more than four years out of date and that 91% of those code bases contained components that had had no new development in the last two years. Plus, 84% of all the examined commercial and proprietary code bases had several high-risk vulnerabilities.
01:49 — From an attacker’s perspective, you just have this massive ecosystem of open-source software that’s pervasive across every aspect of our software supply chain: from mundane, leisurely applications that we all use in our daily activities, to the most critical infrastructure including industrial control systems and national defense and military systems.
02:12 — Organizations simply aren’t keeping an eye on their open-source software hygiene. They have a lot of outdated open-source software in their applications, ecosystem, and infrastructure. Most of it is out of date and contains vulnerabilities. It’s just sitting there, waiting for malicious actors to take advantage of it.
Which companies are the most important vendors in cybersecurity? Click here to see the Acceleration Economy Top 10 Cybersecurity Shortlist, as selected by our expert team of practitioner-analysts.
02:35 — This is why we see Gartner and other organizations predicting that, in a couple of years, 50% of organizations are going to experience a software supply chain attack. It’s just the nature of the ecosystem at the moment. Organizations have been using open-source software for a variety of reasons, among them efficiency and the ability to speed up development time-to-market, cost savings, and more.
02:56 — But the reality is that using open-source software has a trade-off when you’re not being attentive enough to security. This means that you’re not keeping dependencies up to date and not attending to transitive dependencies that have vulnerabilities. Malicious actors are paying attention, and they are taking a lot of interest, realizing the value of this software and how it can be such an efficient attack vector. They can compromise a single target and have a massive impact downstream across the entire ecosystem.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: