Question 1

BN: Why have software supply chains become such a target?

Accepted Answer

RC: Software permeates every area of an organization, across industries and geographies. In that sense, it is liquid and should flow like water. However, the current silos in software development create significant blind spots and heightened risks due to the fragmented tools and methods currently used to manage the software supply chain, plus an expanding open-source ecosystem. In fact, industry research suggests 82 percent of open-source software components are 'inherently risky' due to a mix of vulnerabilities, security issues, code quality or maintainability concerns. Additionally, the same report shows that while more than 70 percent of software in the enterprise is open source, these elements often aren't tracked, maintained, updated or inventoried, leaving serious vulnerabilities in the software supply chain for threat actors to exploit. Hackers know that open source packages, and the developers who use them, are the golden ticket to security breaches. They tend to strike either by exploiting weaknesses introduced through CVEs (typically unintentional flaws by open source developers) or introducing their own malicious packages masquerading as safe open source components. Once an attacker is inside an organization, they often have a lot of lateral capabilities to wreak havoc on several other systems.

Question 2

BN: How do faster release cycles impact this?

Accepted Answer

RC: In today's software-driven world, the mantra 'release fast or die' creates intense demand for software development and deployment speed. Developers need to juggle business requirements while security teams add layers of protection that can often create prolonged timelines to production. Post-deployment fixes for binary vulnerabilities can cost millions of dollars. It's wiser to assess and solve security issues before deploying software, avoiding repercussions in the high-stakes runtime arena, but more often than not, faster release cycles remain the priority. By taking an end-to-end approach to software supply chain management companies can ensure security measures are infused at every stage of the software development process, enabling developers to move quickly from design to production and reduce the risk of faulty software going live.

Question 3

BN: What techniques can organizations adopt to defend themselves?

Accepted Answer

RC: There are a few techniques and areas of focus organizations should adopt to better defend their software supply chains from attack, including: By adhering to these fundamental considerations, organizations can bolster the reliability and resilience of their software, boost developer productivity, and safeguard digital ecosystems at large.

Question 4

BN: Why are SBOMs such a key part of the process?

Accepted Answer

RC: Software Bills of Materials (SBOM) are crucial for securing the software supply chain because they provide transparency into the components that make up a software application, allowing organizations to easily identify potential vulnerabilities within their software by listing all the third-party libraries, dependencies, and versions used, enabling proactive risk management and rapid response to security issues within the supply chain. Having SBOMs allows organizations to revert their software updates to the most recent version that was not compromised, thus enabling continued business continuity. In addition, SBOMs can help to address compliance requirements and provide assurances to customers and partners that your business takes supply chain security seriously.

Question 5

BN: How important is collaboration between developers and security teams to safeguarding projects?

Accepted Answer

RC: The software supply chain is an aggregation of all the people, processes, and technologies involved in producing or updating a piece of software. Common components include source code, third party code, open-source libraries, dependencies, toolchains, infrastructure, and more. The need for software supply chain security measures has grown in recent years due to increasing reliance on third-party components when building and deploying applications. Reuse of third-party resources, including open source components, can reduce the amount of code developers have to write from scratch. However, any security risks that exist within the external resources will become risks for the applications that use them. The lack of security training for developers makes the issue even more challenging, particularly when AI-generated code, trained on potentially insecure open-source data, is not adequately screened for vulnerabilities. Unfortunately, once AI/ML models integrate such code, the potential for undetected exploits only increases, so developers must also function as security champions, meaning DevOps and security can no longer be considered separate functions. Investment in regular security training and providing resources to help developers stay ahead of threats are crucial. Also, enhancing collaboration between development and security teams will ensure that security measures are seamlessly integrated, creating a solid defense against threats. Ultimately, embedding security at every stage of development is essential when building resilient and secure software. Image credit: Acnalesky/Dreamstime.com

open source vulnerability

Software supply chain attacks and how to deal with them [Q&A]

Want a 75 percent chance of breaking your app? Install a security patch

74 percent of codebases have high-risk open source vulnerabilities

Bugcrowd sees 30 percent increase in web vulnerability submissions

One in eight open source downloads have known and avoidable risks

Google launches OSV-Scanner to help identify vulnerabilities in open source software

Recent Headlines

Tuxedo unveils Gemini 17 Gen4 Linux laptop for high performance workloads

Threats improve to slip past firewalls and filters

Paranoia rules -- how automation can enable better detection and response [Q&A]

Google reveals Year in Search 2025

Apple announces more changes at the top

Microsoft is preparing to give the Windows 11 Run dialog a much-needed makeover

Google shares its favorite Chrome extensions of 2025 as AI takes over the browser

Most Commented Stories

Spotify Wrapped 2025 is here, and this time it’s interactive and competitive

Crucial brand to disappear as Micron shifts focus to AI data center memory

Open-source BitTorrent app FrostWire 7 launches with rebuilt engine and zero ads

Google shares its favorite Chrome extensions of 2025 as AI takes over the browser

Opera brings upgraded Google AI to its browsers

Google has dropped its antitrust complaint against Microsoft in the EU

Raspberry Pi launches 1GB Raspberry Pi 5 at $45, raises the price of other models

Desktop web traffic overtakes mobile for the first time in 5 years

NEWS