COMMENTARY
The complexity of today’s software development – a mix of open source and third-party components, as well as internally developed code – has resulted in a plethora of vulnerabilities for attackers to exploit throughout the software supply chain.
We’ve seen the direct effects of software supply chain attacks in incidents like the MOVEit and SolarWinds breaches, proving that no industry, company size, or stage of software development is immune. According to a survey by Enterprise Strategy Group (ESG), 91% of organizations have experienced at least one security incident in the software supply chain in 2023and 2024 seemed no better.
Security teams are overwhelmed by the task of sorting through, reviewing, and prioritizing tens of thousands of alerts to separate those that pose real risk from those that are benign. In 2023, a group of AppSec experts tackled this problem by introducing the Open Software Supply Chain Attack Reference (OSC&R)a freely available, MITER ATT&CK-like framework to help organizations gain a deeper understanding of their software supply chain vulnerabilities.
The inauguration of the OSC&R community report“OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures,” provides a comprehensive analysis of the severity of software supply chain vulnerabilities. Based on a nine-month analysis of more than 100 million alerts, tens of thousands of code repositories, and 140,000 real-world applications, it examines the risks to software supply chains and examines the alignment between the vulnerabilities found in the wild and the focus from AppSec teams today.
The research provides some startling statistics, including that 95% of organizations have at least one high, critical or apocalyptic risk in their software supply chain, with the average organization experiencing nine such issues. Additionally, the OSC&R data shows that many of the most common vulnerabilities in the software supply chain are related to fundamental security measures, such as authentication, encryption, publicly available information in log files, and the principle of least privilege. Below are some of the key conclusions from the report.
1. Be aware of runtime exposure
One in five applications were found to contain high, critical or apocalyptic runtime vulnerabilities during the execution phase of an attack. This makes them a prime target for attackers. Because key software vulnerabilities tend to be exposed in later attack phases, it is critical to detect issues early in the software development lifecycle.
Therefore, AppSec and DevOps teams should strive to strengthen application runtime security. This can be achieved by integrating continuous monitoring real-time protection mechanisms which focus on the later stages of an attack, when the damage potential is greatest.
2. It’s worth fixing older vulnerabilities
While newer vulnerabilities may make headlines, older vulnerabilities remain the most common attack vectors when it comes to supply chain security. Techniques such as command injection (15.4% of applications), sensitive data in log files (12.4% of applications) and cross-site scripting (11.4% of applications) – as well as slow-burn vulnerabilities such as CVE-2024-3094which focused on the compression utility XZ Utilities in major Linux distributions – still wreak havoc in unpatched systems. Attackers continue to successfully use historic tactics and techniques, proving that “old school” vulnerabilities pose significant and persistent risks.
To counter these tactics and techniques and reduce the likelihood of attacks, organizations should regularly assess and update legacy systems and codebases to patch known vulnerabilities. Additionally, implementing a robust vulnerability management program that continuously scans for both old and emerging threats will make software resilient to known risks.
3. Vulnerabilities that span multiple attack phases increase damage
The OSC&R report’s data analysis shows that 36% of applications are vulnerable to exploits in the initial attack phase, with many applications overlapping in multiple attack phases. Vulnerabilities in the initial access phase often open the door to more serious threats, such as persistence and execution exploits.
The data underlines the need for the AppSec and DevOps team to strengthen defenses at all stages of the attack lifecycle, not just the early stages. Organizations must implement multi-layered security solutions that can detect and neutralize threats at different stages of the kill chain to prevent attackers from moving laterally within systems and causing widespread cyber and business damage.
Next steps for AppSec teams
One of the questions the inaugural OSC&R report set out to answer was whether what AppSec and DevOps teams were focusing on matched the vulnerabilities found in the wild. The data shows that this is not yet the case. Progress is being made, but the high number of vulnerabilities entering live applications through the supply chain and the high percentage of organizations reporting supply chain security incidents indicate the need for more attention to proactive software security measures.
Additionally, organizations need to take a more systematic look at both their software development processes and the attack lifecycle to identify the places most at risk. But historical data alone is not the answer. Organizations must implement the tools and processes that give them holistic insight into their supply chain – from the build phase through to runtime, and including the development and testing environments, which are occasionally overlooked.
Furthermore, it is clear that it is not enough to focus on one or two phases of software development or one phase of the attack life cycle. Enterprises should adopt a multi-layered, full-lifecycle AppSec strategy, accompanied by tools that can unify all phases, to reduce the likelihood of attacks.
Development and security teams now have a reference they can use to map their programs against known attack vectors and tactics. OSC&R essentially lays the foundation for executing a streamlined software security program that reduces the number of vulnerabilities reaching production, increases the resilience of the organization as a whole, and eliminates the fear of breaches due to software bugs.
