Brian Fox is a software developer, innovator and entrepreneur, most prominently known for his role as CTO and Co-Founder of Sonatype, Inc.
2014 was a year of many firsts. Rosetta’s Philae lander made the first successful landing on a moving comet, Janet Yellen was sworn in as the first woman to chair the U.S. Federal Reserve and Apple unveiled its first wearable device, the Apple Watch.
For those in cybersecurity, 2014 was noteworthy for another first: Congress introduced the first piece of legislation centered around software supply chain security. Unfortunately, the bill never went to a vote, and since then, the software supply chain has become an increasingly prominent attack vector—enabling threat actors to become the protagonists of the software supply chain.
Now, over a decade later, cybercriminals have businesses on the back foot. According to Cisco’s 2024 Cybersecurity Readiness Index, only 3% of organizations are prepared to mitigate today’s cybersecurity risks. This is concerning, albeit unsurprising. Attackers have slowly gained control of the software supply chain over the last 10 years, and we had plenty of chances to prevent them from doing so.
A Decade-Long Transformation
In 2014, threat actors primarily searched for exploitable vulnerabilities to gain unauthorized access to a system—much like a burglar snooping around for an open window. While rewarding when successful, these attacks were time-consuming to execute and dependent on waiting for a valuable bug to be discovered.
The Equifax breach of 2017 marked the inception of targeted attacks, proving that a single vulnerable open-source component could enable threat actors to infect multiple systems simultaneously. Rather than hoping to stumble across a weakness, attackers realized injecting malicious code directly into software development was much more fruitful.
The 2020 hack involving SolarWinds epitomizes the rise of sophisticated software supply chain attacks, as the campaign was incredibly successful in compromising high-profile networks, including nine U.S. government agencies.
In 2021, a vulnerability in the popular Log4j component, dubbed Log4Shell, was uncovered. Our 2024 State of the Software Supply Chain report found that 13% of Log4j downloads were still of the vulnerable version. Threat actors know remediation has been inconsistent, and CISA published a report in July 2024 stating that North Korean-affiliated actors are still exploiting Log4Shell.
2024 witnessed another significant milestone with the attempted XZ Utils attack. Initiated years in advance, the threat actor offered innocent advice to build trust with the project’s maintainer before ultimately taking over the project and adding encrypted malicious code directly into the XZ source code.
Fortunately, the attack was thwarted before it could infect enterprises worldwide. However, similar sophisticated social engineering campaigns will continue, and as Cisco notes, 97% of organizations aren’t prepared to prevent them.
2025: Taking Back Control
Had we done things differently in 2014, attackers would likely not have the upper hand they do today. A continued lack of urgency and proactivity over the last decade—despite multiple close calls—gave them the power.
While we can’t go back in time, we can start regaining control of the software supply chain now. As modern ecosystems become increasingly interconnected and the reliance on open-source components continues to grow, the software supply chain will become an increasingly lucrative target for threat actors.
Improving our cybersecurity posture is the only way to put ourselves back in the driver’s seat, and it starts with changing our consumption habits.
Choose The Right Components
Good open-source consumption starts with selecting high-quality components. Considering there are millions of components to choose from, however, this is no easy feat. Even though there is no definitive marker of a high-quality component, projects with a published software bill of materials (SBOM), paid maintainers and support from foundations like the Apache Software Foundation typically align with better quality.
Still, this isn’t a foolproof measure. While teams should consider these factors during the initial selection process, they must also invest in tools that assess component health and provide actionable insights to help them mitigate risk from the beginning of the software development lifecycle.
Don’t Neglect Dependency Management
Open-source components aren’t a “set it and forget it” asset. Even high-quality components must be regularly maintained and updated after they’ve been selected to ensure durability and integrity. Unfortunately, dependency management is often overlooked or deprioritized in the software development process. According to our report, 80% of enterprise application dependencies remain outdated for over a year.
Dependency management tends to fall by the wayside because it can be incredibly time-consuming—but that results from teams trying to manage dependencies manually. Developers would much rather focus on building applications than spend their time remedying issues. Technology should be detecting vulnerabilities, automatically applying fixes and helping them prioritize the most critical updates. Not only does this reduce the time developers spend managing dependencies and improve security, but it also allows more time for innovation.
Uplevel Your Prevention Practices
With open-source malware increasing drastically year over year, teams cannot rely solely on traditional scanning tools to mitigate all risks. Because they identify threats based on known patterns, these tools fail to detect novel techniques in open-source malware, creating a massive security gap.
Organizations need more advanced measures than automatic updates and generic scanning methods to detect these elusive attacks. They have to adopt a cybersecurity practice that keeps pace with the rapid evolution of open source by establishing guardrails to ensure better consumption, enforcing regular reviews of all components and embracing transparency across the entire software development life cycle.
We cannot be okay with the current level of complacency. Attacks will continue to grow more innovative with the adoption of new technologies. The only way to mitigate the threats plaguing organizations today is by changing our consumption habits—which requires improving dependency management, addressing open-source malware risks and adopting rigorous security practices.
The industry is at a crossroads, and we don’t want to look back in another 10 years wishing we’d acted more quickly.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
