What you’ll learn:
- Why the software supply chain is important.
- How software security impacts organizations across all industries.
- How the ubiquity of open-source software impacts organizations’ software supply-chain risk-management strategies.
Software has become the backbone of nearly every organization in today’s digitally progressive world. In fact, it’s the driving force behind the delivery of goods and services in every industry vertical across the globe. However, increased reliance on software has brought about a new set of cybersecurity challenges—particularly those pertaining to software supply-chain security.
The software supply chain involves anything and everything that touches an application or plays a role, in any way, in its development throughout the entire software development lifecycle. As such, software supply-chain security is the act of securing the components, activities, and practices involved in the creation and deployment of software. This could include third-party and proprietary code, deployment methods, infrastructure, interfaces and protocols, and developer practices and development tooling.
Software Turns Toward Assembly
As modern software applications are experiencing a shift from being built from scratch to being assembled from various parts developed by various entities, the software supply chain has become more complex than ever before. And while this isn’t a purely novel trend, organizations across all industries—no matter whether they build, operate, or leverage software—are making it an increasingly crucial priority to evaluate their unique software supply chain and identify methods to secure it.
The heightened attention is pertinent and justified as recent high-profile cyberattacks like SolarWinds and open-source vulnerabilities such as Log4Shell highlighted the potential risks with the software supply chain, with resulting impacts directly to organizations’ bottom line and business continuity.
Open-Source Software Creates Supply-Chain Vulnerability
One of the most significant elements of this conversation and challenges faced by organizations in securing their software supply chain is the prevalence of open-source software. Synopsys’ 2023 Open Source Security and Risk Analysis (OSSRA) report, which examines the results of more than 1,700 audits of commercial and proprietary codebases involved in merger and acquisition transactions across 17 industries, notes that 96% of applications contain open-source components, with 76% of all application makeup being open source.
Those results support the claim that software is no longer being built. Rather, it’s being assembled using code, libraries, operating systems, configurations, and various other aspects from a variety of sources.
Open source has nurtured innovation across all industries, enabling organizations to introduce solutions to the market at a speed and scale that has welcomed digital transformation. At the same time, the scale of open-source usage has made an already complicated software supply chain even more complex.
The 2023 OSSRA report found vulnerabilities in 84% of applications, and 48% of the applications analyzed contained high-risk vulnerabilities. This signals to us that organizations are struggling to manage the open-source code they’re using. It also raises one of the biggest challenges with open-source software—ensuring that it’s kept up-to-date and secure.
The OSSRA report found that 89% of codebases contained components that were more than four years behind on updates. This is rather concerning because older components are more likely to contain vulnerabilities that can be exploited by cybercriminals.
Another challenge with open-source software is license compliance. Thousands of different types of licenses range from permissive to restricted, and everything in between. The 2023 OSSRA report found that 54% of codebases had some sort of license conflict with their open-source dependencies. This can result in legal issues and expose organizations to potential financial and reputational damage.
Counteract Security Risks with SBOM Visibility
To address these challenges, organizations need to establish and maintain visibility of their software supply chain. This is where the concept of a software bill of materials (SBOM) comes into play. An SBOM is a comprehensive list of all components that make up a piece of software, including open-source libraries and dependencies. It provides a complete picture of the software supply chain and allows organizations to assess the risk posed by each component.
The importance of having this visibility is only going to increase as organizations mature their software supply-chain security approaches. In general, transparency and visibility tend to be net positives, so not only will this result in an improvement in an organization’s ability to mitigate risk, but it will also force teams to hold each other accountable when addressing lingering issues.
In addition to establishing and maintaining visibility of the software supply chain, organizations need to adopt a proactive approach to software security. This means implementing robust security testing and vulnerability scanning throughout the software development lifecycle. By doing so, organizations can identify and remediate vulnerabilities early in the development process, reducing the risk of a successful cyberattack.
Don’t Fall Prey to Log4Shell and Other Menaces
The software supply chain is a component of any organization’s overall cybersecurity posture that can’t be ignored or overlooked. The 2023 OSSRA report found that known vulnerabilities, such as Log4Shell, despite being disclosed with a fix in December 2021, are still lurking in organizations’ software supply chains. The report found that vulnerable versions of Log4J were present in 11% of the Java codebases analyzed.
With so many organizations depending on open-source software to power their businesses, it’s essential that they have visibility into their software supply chain and are taking proactive steps to secure it. By adopting an SBOM, implementing robust security testing, and staying up-to-date on software vulnerabilities, organizations can reduce their risk and stay ahead of cyber threats.