As software supply chains grow increasingly interconnected, security threats continue to evolve. While common risks like third-party vulnerabilities and dependency issues are well-known, less-common or overlooked software supply chain threats can leave organizations exposed to potential attacks.
From unpatched legacy code to insecure AI models and hidden licensing risks, addressing these blind spots is critical. Below, members of Forbes Technology Council share some commonly overlooked issues in software supply chain security and the proactive steps teams can take to mitigate them.
1. Lack Of Visibility Into Dependencies
A key overlooked issue in software supply chain security is the lack of visibility into third-party dependencies. Many rely on open-source components without tracking vulnerabilities. To address this, the industry should adopt software bills of materials, ensure continuous monitoring and enforce strict dependency management to improve transparency and resilience. – Mammon Baloch, Starlight Retail Inc.
2. Outdated Code In Third-Party Libraries
The persistence of outdated, vulnerable code in third-party libraries deserves more attention. Developers rely on prebuilt libraries to save time, but unpatched open-source and legacy dependencies introduce significant risks. The industry must adopt automated, continuous code scanning and a proactive “security debt” reduction strategy to systematically identify and remediate these silent threats. – Chris Wysopal, Veracode
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
3. Unregulated Vendor Security Practices
A key issue in software supply chain security is the lack of robust practices and transparency among vendors, leading to exploitable vulnerabilities. Incidents like SolarWinds and Log4j reveal these risks. Solutions include enforcing security standards, adopting SBOMs and continuous monitoring, applying zero-trust principles and sharing threat intelligence to enhance resilience. – Premosai Range
4. Dependency Confusion
One often-overlooked software supply chain issue is dependency confusion—when malicious packages mimic private dependencies and slip into builds. Organizations must prioritize internal repositories, enforce version controls and adopt tools like SBOMs to safeguard their dependency chains. It’s a growing risk that can’t be ignored. – Omar Turner, Microsoft
5. Risky Workarounds
To address production issues faster, business and tech teams often implement strategic workarounds to minimize impact. However, these workarounds can act as backdoors that are less secure, based on the assumption that only a few people know about them. Over time, they become major security risks that are vulnerable to attacks. Always ensure workarounds follow strict security standards to protect the software. – Kouoshik Sundar, Citibank
6. Insecure Or Unavailable Backup Systems
The need for secure, available backups is underdiscussed. The industry must follow the golden rule of backups—the 3-2-1-1-0 rule—for rapid data recovery. Having three copies of data across two different media, one offsite copy and one that is offline, air-gapped or immutable, combined with zero-trust data resilience practices, will ensure businesses keep running when cyberattacks strike. – Rick theyver, Veeam
7. Third Parties As A Single Point Of Entry
A major vulnerability in software supply chains is their dependence on vast third-party ecosystems. Third parties are prime targets for threat actors, offering a single point of entry to multiple organizations. To mitigate this risk in an increasingly hostile threat landscape, the industry should adopt zero-trust security models that emphasize strict access management and role-based controls. – FRO ROCH, Pulled
8. False Positive Alerts
Teams are drowning in false positive alerts—without any sense of context—about potential dangers in the open-source software code used to develop new applications. This alert fatigue undermines effective security. Organizations can significantly reduce false positives with disruptive technologies that pinpoint vulnerabilities that are actually reachable in your code and need prioritization. – Varun badhwar, Endor Labs
9. Accumulated Technical Debt
One underdiscussed issue affecting security is technical debt from outdated or unmaintained dependencies. Teams can accumulate tech debt by neglecting necessary updates, leaving known vulnerabilities unaddressed. We should dedicate around 20% of our effort to regularly addressing technical debt, updating dependencies and integrating security checks to mitigate risks. – Dhruv Seth, Walmart Global Tech
10. Vulnerabilities In Shared File Data
An overlooked issue in software supply chain security is the vulnerability of shared file data. Files exchanged between stakeholders can carry hidden threats like malware, compromising the entire chain. Based on experience with key providers across the automotive supply chain, having a centralized platform with cyber resilience and disaster recovery built in makes all the difference. – Nick Burling, Nasuni
11. Human Error And Insider Threats
While many focus on securing code and dependencies, an often-overlooked issue in software supply chain security is the human element. This encompasses everything from social engineering and insider threats to simple human error and inadequate security training. An emphasis on robust security training, strong authentication and access controls, and background checks could alleviate some of the pain points. – Kunal khashu, HCA Healthcare
12. Failure To Invest In Security Tools
An often-overlooked issue is the tendency to prioritize productivity investments, like hiring or salary increases, over operational expenditures like security tools. To address this, the industry should focus on automating security measures for sustainability. Use tools like Drata or Vanta for continuous compliance and SonarQube or Snyk for code analysis. – Gabriel Labrada, Process Street
13. Misconfigured Open-Source Dependencies
A critical but often overlooked issue in software supply chain security is the risk from misconfigured open-source dependencies. With many relying on external libraries, vulnerable configurations can introduce backdoors or exploitable flaws. The industry must prioritize automated configuration audits, secure code scanning and transparent dependency management to mitigate these risks effectively. – Madhava rao kunchhala
14. Unprotected Satellite Communication Networks
The vulnerability of satellite communication systems to cyberattacks is often overlooked. A breach could disrupt GPS or communications networks. The industry must prioritize encryption, conduct code audits and use AI monitoring to detect threats. Collaboration between space agencies, governments and private companies is essential to securing critical infrastructure. – Shelli Brunswick, SB Global LLC
15. Security Gaps In Browser Extensions
Browser extensions share similar risks with software supply chains, as they can be exploited to compromise systems or steal data. The industry should enforce stricter vetting, including code audits and transparency around ownership changes. Organizations can reduce risks by restricting extensions to an approved list and regularly reviewing permissions. Educating users about these risks is equally vital. – Akash Kilaru, City National Bank
16. Ignoring Dependency Licenses
An overlooked issue in software security is licensing risks—when developers ignore dependency licenses, risking legal disputes or forced disclosure of proprietary code. Tech leaders must champion the use of automated tools to track and ensure open-source license compliance, protecting innovation and preventing costly errors. – Himanshu Sinha, Marriott International Inc.
17. Unsecured API Integrations
An often-overlooked issue in software supply chain security, especially in financial services, is the reliance on legacy systems interwoven with modern fintech APIs. These integrations often lack consistent security audits. The industry must enforce rigorous API security standards, enhance transaction monitoring and deploy AI-driven threat detection to safeguard sensitive financial ecosystems. – Jitender jain
