sb-eu logo
Story image

Huge vulnerabilities in software supply chain being exploited

04 Oct 2018

Cybersecurity breaches are occurring seemingly every week. The one good thing you could say comes from this is that businesses are able to learn from others’ mistakes.

However, Sonatype’s recently released ‘2018 State of the Software Supply Chain’ report reveals this isn’t the case.

For example, no introduction is necessary for one of the largest breaches of all time. Equifax was laid bare due to a Struts visibility, and despite this, Sonatype has recorded eight further Struts breaches this year alone, in addition to a new battlefront of attacks on open source releases that have affected tens of thousands of developers.

Sonatype vice president Derek Weeks says today’s organisations are finding they have to embrace open source software in the software development lifecycle in a bid to get it out the door and maintain a competitive edge. However, this rush is effectively leaving the door open for cybercriminals as they have already proven they have the intent and ability to exploit security vulnerabilities in the software supply chain.

“Organisations are building out armies of software developers, consuming extraordinary amounts of open source components, and equipping teams with tools designed to automate and optimise the entire software development lifecycle,” says Weeks.

“Innovation is critical, speed is king, and open source is at centre stage.”

A grim picture painted from findings in the report clearly shows why there is need for concern:

  • Software developers downloaded more than 300 billion open source components in the past year alone, while one in eight of those components contained known security vulnerabilities, a 120 percent year on year increase.
  • The mean time for these vulnerabilities to exploit compressed by 93.5 percent, from 45 days to a measly three days.
  • Despite the consistent breaches, organisations remain very much in the dark with 1.3 million vulnerabilities in open source software components lacking a corresponding CVE advisory in the public NVD database.
  • Meanwhile, 62 percent of organisations admitted to not having meaningful controls over what open source software components are used in their applications.

So what then is the solution? Sonatype CEO Wayne Jackson says it lies in proper management, which along with further findings is outlined in the company’s 2018 report.

“As open source accelerates to its zenith of value, the underlying fundamentals of the ecosystem and the infrastructure supporting it, are increasingly at risk,” says Jackson.

“This year’s report proves, however, that secure software development isn’t out of reach. The application economy can grow and prosper in regulated, secure environments, if managed properly.”

The 2018 State of the Software Supply Chain Report highlights new methods cybercriminals are employing to infiltrate software supply chains, offers expanded analysis across languages and ecosystems, and more deeply explores how government regulations are likely to impact the future of software development.

Click here to view the full Sonatype report.

Story image
Why organisations should wise up to the DDoS extortion trend
While it is essential to have a DDoS mitigation solution in place, it’s also important to test that it works as expected, writes NCC Group director of technical security consulting for Asia Pacific Tim Dillon.More
Story image
BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings
“Combining Managed Sentinel’s Azure Sentinel deployment expertise with BlueVoyant’s MDR capabilities will help customers operationalise and maximise Microsoft security technologies."More
Story image
Businesses left to make decisions based on old, inaccurate data, study finds
"It is more critical than ever that organisations have access to actionable, contextualised, near real-time threat data to power the network and application security tools they use to detect and block malicious actors."More
Story image
Palo Alto Networks extends cloud native security platform with new modules
Palo Alto Networks has announced the availability of Prisma Cloud 2.0, including four new cloud security modules, thus extending its Cloud Native Security Platform (CNSP). More
Story image
Why best-practice threat data management provides confident automation
Understanding an organisation’s threat landscape requires having both the right threat data sources and the proper prioritisation to derive actionable threat intelligence for your organisation. More
Story image
Gigamon and Zscaler release cloud-first network detection for fluid workforces
“Our customers have significantly accelerated their digital transformation journeys during the pandemic, and this integration will help them better respond to threats.”More