Open-source risks continue to threaten digital business stability. Software supply chain incidents such as Log4j and Spring4Shell have put billions of devices at risk for remote-control execution attacks. Not only that, but a multitude of other vulnerabilities lie dormant, known or unknown, within the root of modern software applications that rely heavily upon countless open-source projects. As a result, studies have found an extraordinary 742% average annual increase in supply chain attacks over the past three years.
In response to this widening software supply chain issue, organizations are beginning to standardize their software consumption process and better manage dependencies. There’s also a government-led impetus to evolve — part of the 2021 presidential Executive Order on Improving the Nation’s Cybersecurity requires software companies working with the U.S. government to provide a software bill of materials (SBOM) that lists project dependencies.
Sonatype’s The State of the Software Supply Chain report provides fascinating data on the global software supply chain threat. The lengthy report calculates vulnerabilities across popular package managers and weighs the maturity of the security response to pressing risks. Below, I’ll summarize the study’s key points to better understand how information technology (IT) divisions should address open-source security in the face of today’s interconnected software supply chain.
Open-Source Demand Increases, as Do Vulnerabilities
Although 2022 saw the largest volume of open-source downloads, there was a slight decrease in the acceleration of open-source adoption and usage. This is perhaps due to new procurement policies emerging in response to Log4j. It’s good that organizations are waking up to the reality of open-source threats — especially since Sonatype discovered 97,334 suspected malicious packages in their monitoring processes.
Nevertheless, a lack of knowledge and visibility into dependencies is still a pressing issue. Six of every seven project vulnerabilities come from transitive dependencies, which are additional components a software tool depends upon to function but which are not always accessible. Dependency confusion can arise from tactics such as typosquatting or brandjacking. Or, legitimate open-source dependencies may unknowingly include code injections contributed by actors with nefarious intent.
Other Software Supply Chain Metrics
So, what is the state of individual projects? Well, common libraries have 5.7 dependencies on average. Although only 10% of these have a vulnerability directly affecting the code, 62% had a direct security issue or a transitive vulnerability arising from their third-party dependency tree. At large, this fact means that 1.2 billion vulnerable dependencies are being consumed each month.
A random sample of 55,000 enterprise applications revealed that 68 of the applications had known vulnerabilities in the underlying open-source software components. However, these are probably incomplete numbers, as it’s tricky to sum up the total vulnerability landscape. Since hackers target popular libraries over more niche or inactive projects, popular projects have more known vulnerabilities, not inherent vulnerabilities.
There is truly a wide surface area to cover, and the dependency tree is never-ending. Astonishingly, engineers have to track an average of 1,500 dependency changes per year per application. This underscores the need for SBOMs, as well as an automated approach to auditing dependencies.
Global Regulations to Mature Software Supply Chain Integrity
Software supply chain security is still undergoing a maturation process. Most companies still aren’t cataloging SBOMs or performing remediation for every vulnerability. Yet, strides are underway to formalize this process, and much of the future of supply chain security might be regulation-led.
For example, in January 2022, the Office of Management and Budget (OMB) issued the Memorandum: “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” encouraging alignment with Cybersecurity and Infrastructure Security Agency (CISA) ‘s five-point zero trust model.
Another example of new regulation: “When a federal agency (purchaser) acquires software or a product containing software, the agency should receive attestation from the software producer that the software’s development complies with government-specified secure software development practices.” — Software Supply Chain Security Guidance Under Executive Order (E.O.) 14028, NIST (National Institute of Standards and Technology)
Other countries have followed suit, albeit with fewer mandatory conditions. For example, Germany recently issued the Information Security Act 2.0 (IT-SiG), and Japan passed an Act on Promotion of Economic Security by Integrated Implementation of Economic Measures. Similar proclamations to combat supply chain risks have been seen from agencies like European Agency for Cyber Security (ENISA) and NATO.
As digital reliance soars, the number of vulnerabilities will likely continue to grow, and along with it, the frequency of attacks on enterprise software. Thirty-one percent of businesses estimate a cyber attack happens at least once a week. These attacks could result in ransomware attacks, cryptojacking, or large sweeping denial-of-service campaigns.
Much of the software surface area has yet to be discovered. The report found that only 7% of businesses have looked at their wider supply chain. It will take knowledge sharing to improve development security practices. It will also take a coordinated effort from the open-source community to democratize access to the necessary security tooling. For example, emerging standards like Sigstore and SLSA (Supply Chain Levels for Software Artifacts) are set to add new layers to protect the provenance of open-source packages.
“This average annual growth rate over the last three years is nothing short of astonishing and underlines the need to step-up governmental and industry-driven efforts to curb and defend against these attacks,” says the report.
For further insights and deeper analysis into how this data was generated, readers can view the entire 8th Annual State of the Software Supply Chain report, presented by Sonatype.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: