Story image

Huge vulnerabilities in software supply chain being exploited

04 Oct 2018
Sponsored

Cybersecurity breaches are occurring seemingly every week. The one good thing you could say comes from this is that businesses are able to learn from others’ mistakes.

However, Sonatype’s recently released ‘2018 State of the Software Supply Chain’ report reveals this isn’t the case.

For example, no introduction is necessary for one of the largest breaches of all time. Equifax was laid bare due to a Struts visibility, and despite this, Sonatype has recorded eight further Struts breaches this year alone, in addition to a new battlefront of attacks on open source releases that have affected tens of thousands of developers.

Sonatype vice president Derek Weeks says today’s organisations are finding they have to embrace open source software in the software development lifecycle in a bid to get it out the door and maintain a competitive edge. However, this rush is effectively leaving the door open for cybercriminals as they have already proven they have the intent and ability to exploit security vulnerabilities in the software supply chain.

“Organisations are building out armies of software developers, consuming extraordinary amounts of open source components, and equipping teams with tools designed to automate and optimise the entire software development lifecycle,” says Weeks.

“Innovation is critical, speed is king, and open source is at centre stage.”

A grim picture painted from findings in the report clearly shows why there is need for concern:

  • Software developers downloaded more than 300 billion open source components in the past year alone, while one in eight of those components contained known security vulnerabilities, a 120 percent year on year increase.
  • The mean time for these vulnerabilities to exploit compressed by 93.5 percent, from 45 days to a measly three days.
  • Despite the consistent breaches, organisations remain very much in the dark with 1.3 million vulnerabilities in open source software components lacking a corresponding CVE advisory in the public NVD database.
  • Meanwhile, 62 percent of organisations admitted to not having meaningful controls over what open source software components are used in their applications.

So what then is the solution? Sonatype CEO Wayne Jackson says it lies in proper management, which along with further findings is outlined in the company’s 2018 report.

“As open source accelerates to its zenith of value, the underlying fundamentals of the ecosystem and the infrastructure supporting it, are increasingly at risk,” says Jackson.

“This year’s report proves, however, that secure software development isn’t out of reach. The application economy can grow and prosper in regulated, secure environments, if managed properly.”

The 2018 State of the Software Supply Chain Report highlights new methods cybercriminals are employing to infiltrate software supply chains, offers expanded analysis across languages and ecosystems, and more deeply explores how government regulations are likely to impact the future of software development.

Click here to view the full Sonatype report.

Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.