The unknown risks of the software supply chain: a deep dive

Software Supply Chain

In a world where more and more organizations are adopting open source components as foundational blocks in their applications’ infrastructure, it is difficult to view traditional SCAs as complete defense mechanisms against open source threats.

Using open source libraries saves a lot of coding and debugging time, thereby reducing the time to deliver our applications. But as codebases increasingly consist of open source software, it’s time to respect the entire attack surface – including attacks on the supply chain itself – when choosing a SCA platform depend on.

The impact of one dependency

When a company adds an open source library, they are likely adding not only the library they intended, but many other libraries as well. This is due to the way open source libraries are built: like every other application on the planet, they strive for speed of delivery and development and therefore rely on code that other people have built, i.e. other open source libraries . .

The actual terms are direct dependency – a package that you add to your application, and a transitive dependency – a package that is implicitly added by your dependencies. If your application uses package A, and package A uses package B, then your application is indirect depends on package B.

And if package B is vulnerable, your project is also vulnerable. This problem has led to the rise of the world of SCAs – Software Composition Analysis platforms – that can help pinpoint vulnerabilities and propose solutions.

However, SCAs only solve the problem of vulnerabilities. What about supply chain attacks?

Supply chain security best practices cheat sheet

Attacks on the software supply chain are on the rise.

According to Gartner’s predictionsby 2025, 45% of organizations will be affected. Traditional Software Composition Analysis (SCA) tools are not enough and now is the time to take action.

Download our cheat sheet to discover the five types of critical supply chain attacks and better understand the risks. Implement the 14 best practices listed at the end of the cheat sheet to defend against this.

🔗 Download the cheat sheet now

US attacks Vulnerabilities

It may not be clear what we mean by one ‘unknown’ risk. Before we go into the distinction, let’s first look at the difference between vulnerabilities and attacks:

A vulnerability:

  • A non-intentional error (aside from very specific advanced attacks)
  • Identified by a CVE
  • Included in public databases
  • Defense possible before exploitation
  • Includes both regular and zero-day vulns
    • Example: Log4Shell is a vulnerability

A supply chain attack:

  • An intentional malicious activity
  • Lacks specific CVE identification
  • Not followed by standard SCAs and public databases
  • Usually, by default, exploitation or activation has already been attempted.
    • Example: SolarWinds is a supply chain attack

An unknown risk is almost by definition an attack in the supply chain that cannot be easily detected by your SCA platform.

SCA tools are not enough!

SCA tools may appear to solve the problem of protecting against supply chain risks, but they do not address any of the unknown risks (including all major supply chain attacks) and leave you exposed to any of the most critical parts of your infrastructure.

So a new approach is needed to mitigate the known and unknown risks in the ever-evolving supply chain landscape. This guide assesses all known and unknown risks in your supply chain, suggests a new way of looking at things and provides a great reference (or introduction!) to the world of supply chain risk.

#unknown #risks #software #supply #chain #deep #dive

Notify of
Inline Feedbacks
View all comments
Previous Post
Russian REvil Hacker

US, UK, Australia Sanctions Russian REvil Hacker Behind Medibank Breach

Next Post
VexTrio Affiliate Network

VexTrio: the Uber of cybercrime

Related Posts