Story image

Huge vulnerabilities in software supply chain being exploited

04 Oct 18
Sponsored

Cybersecurity breaches are occurring seemingly every week. The one good thing you could say comes from this is that businesses are able to learn from others’ mistakes.

However, Sonatype’s recently released ‘2018 State of the Software Supply Chain’ report reveals this isn’t the case.

For example, no introduction is necessary for one of the largest breaches of all time. Equifax was laid bare due to a Struts visibility, and despite this, Sonatype has recorded eight further Struts breaches this year alone, in addition to a new battlefront of attacks on open source releases that have affected tens of thousands of developers.

Sonatype vice president Derek Weeks says today’s organisations are finding they have to embrace open source software in the software development lifecycle in a bid to get it out the door and maintain a competitive edge. However, this rush is effectively leaving the door open for cybercriminals as they have already proven they have the intent and ability to exploit security vulnerabilities in the software supply chain.

“Organisations are building out armies of software developers, consuming extraordinary amounts of open source components, and equipping teams with tools designed to automate and optimise the entire software development lifecycle,” says Weeks.

“Innovation is critical, speed is king, and open source is at centre stage.”

A grim picture painted from findings in the report clearly shows why there is need for concern:

  • Software developers downloaded more than 300 billion open source components in the past year alone, while one in eight of those components contained known security vulnerabilities, a 120 percent year on year increase.
  • The mean time for these vulnerabilities to exploit compressed by 93.5 percent, from 45 days to a measly three days.
  • Despite the consistent breaches, organisations remain very much in the dark with 1.3 million vulnerabilities in open source software components lacking a corresponding CVE advisory in the public NVD database.
  • Meanwhile, 62 percent of organisations admitted to not having meaningful controls over what open source software components are used in their applications.

So what then is the solution? Sonatype CEO Wayne Jackson says it lies in proper management, which along with further findings is outlined in the company’s 2018 report.

“As open source accelerates to its zenith of value, the underlying fundamentals of the ecosystem and the infrastructure supporting it, are increasingly at risk,” says Jackson.

“This year’s report proves, however, that secure software development isn’t out of reach. The application economy can grow and prosper in regulated, secure environments, if managed properly.”

The 2018 State of the Software Supply Chain Report highlights new methods cybercriminals are employing to infiltrate software supply chains, offers expanded analysis across languages and ecosystems, and more deeply explores how government regulations are likely to impact the future of software development.

Click here to view the full Sonatype report.

Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).