- Attacks through malicious code/malware are on the rise. While vulnerability exploits remain the largest cause of supply chain attacks, deliberate assaults using malware and malicious packages as a vector are rapidly growing. Fifty-nine percent of respondents in the Ponemon research have been impacted by a software supply chain attack or exploit, with the majority noting that the attacks happened in the past year.
- Most organizations are unprepared to deal with the new threat of malware/malicious packages. Only 39% of respondents said their senior leadership are very or highly committed to reducing the risk of malicious code/malware in software supply chains. While 63% of respondents said their organizations evaluate third-party software for malware, most rely on comparing supplied Software Bills of Materials against known malicious packages. Only 45% conduct binary analysis of application dependencies, and only 37% perform continuous threat monitoring.
- Many organizations rely on application security vendors to stay informed about new software vulnerabilities. Historically, organizations relied on vulnerability data from public databases, such as the National Vulnerability Database (NVD). However, as the volume of reported vulnerabilities grows, publicly maintained resources like the NVD have struggled to keep abreast of new vulnerability disclosures. Many software composition analysis tools now supplement public data with detailed and timelier information from proprietary databases such as the Black Duck® KnowledgeBase™ to help organizations identify security vulnerabilities more quickly and get actionable recommendations.
- Delays in addressing vulnerabilities are putting software supply chains at risk. Only 38% of respondents said their organizations are very or highly effective at detecting and responding to an exploit of a known vulnerability. Almost half of respondents (47%) said it takes at least a month to more than six months for their organizations to respond to a critical software vulnerability.
- Those delays are likely caused by not using automation to track and manage open source dependencies. Open source and other third-party code is often introduced into applications through “dependencies”—libraries of code distributed by package managers for use by other software. Due to their usefulness, open source dependencies support nearly every application in every industry. In fact, the “Open Source Security and Risk Analysis” (OSSRA) report found that there is an average 526 open source dependencies in any given application.
The Ponemon research indicates that most organizations do not know the extent of the open source dependencies they have in their software—only 39% of respondents said their organizations even keep an inventory of open source dependencies. Thirty-seven percent are still solely using manual review and management of open source components, while another 41% are using a mix of manual component review and automated management. Only 22% use automated or policy-based review and management alone.
- The use of AI in the software development life cycle is gaining traction, but monitoring AI-generated code for IP and license risk is not keeping pace. Fifty-two percent of respondents say their development teams leverage AI tools to generate code. However, only 32% have processes in place to evaluate that AI-generated code.
While overshadowed by highly publicized open source security breaches, IP and license compliance risk should be of concern to organizations working to secure their software supply chain. For example, it's common practice for developers to use “snippets” (extracts from larger pieces of code) in their software development. But even if software includes only a snippet of open source, users of the software must still comply with any license associated with the snippet.
The growing use of AI-assistant tools for code generation is amplifying the problem. AI code writing assistants may suggest code snippets without including notice of that code’s licensing obligations, exposing organizations using that code to potential noncompliance issues. Even one noncompliant license in software can result in legal reviews, freezes in merger and acquisition transactions, loss of intellectual property rights, time-consuming remediation efforts, and delays in getting a product to market.
For more insights into the findings from the Ponemon report “The State of Software Supply Chain Security Risks,” download your complimentary copy today
- This blog was reviewed by Shandra Gemmetti