New Report Sheds Light on Software Supply Chain Risks

Software supply chain security continues to be a major concern for businesses. A new report, "OSC&R In the Wild: A New Look at the Most Common Software Supply Chain Exposures," sheds light on the challenges and vulnerabilities many organizations face. With 91% of organizations experiencing a supply chain security incident in 2023, the need for stronger defenses is more urgent than ever. The report highlights the OSC&R (Open Software Supply Chain Attack Reference) framework as a critical tool for understanding and mitigating the risks within the software supply chain.

Researchers collected over one hundred million software supply chain security alerts from thousands of applications and repositories. By analyzing this data through the lens of the OSC&R framework, the report provides a detailed view of how attackers target various stages of the software development lifecycle. This information is essential for AppSec, DevOps, and Product Security teams to prioritize vulnerabilities and strengthen their defenses against real-world threats.

Alert Overload

One of the key takeaways from the report is the overwhelming volume of alerts security teams face, with an average organization managing over 119,000 alerts from their applications. This "alert overload" makes it difficult to focus on the most critical vulnerabilities, leaving many serious risks unresolved. Even after applying automated analysis to reduce noise, organizations still face around 660 high-priority issues, illustrating the scale of the challenge.

The report also underscores the persistence of vulnerabilities in widely known attack stages like Initial Access, Execution, and Persistence. These stages, which represent critical points in the attack chain, are where organizations are most vulnerable. The findings show that despite advancements in security tools and practices, many companies remain exposed to age-old vulnerabilities like command injection and cross-site scripting, which continue to provide easy entry points for attackers.

Multi-stage Exposures

What’s especially concerning is the number of applications that contain vulnerabilities across multiple stages of the kill chain. This "multi-stage exposure" creates fertile ground for attackers, amplifying the damage a single vulnerability can cause. In particular, weaknesses in Initial Access often lead to further risks in the Execution or Persistence stages, where attackers can execute malicious code or maintain a long-term presence in the system.

While the report highlights the challenges, it also provides hope in the form of better technology and processes. By integrating the OSC&R framework with advanced tools for Application Security Posture Management (ASPM) and Application Detection and Response (ADR), organizations can better identify and respond to threats in real time. This proactive approach, combined with continuous improvement and collaboration, is key to staying ahead of attackers.

For businesses looking to strengthen their software supply chain security, this report is a crucial resource. It not only reveals the most common threats, but also provides actionable insights to improve defenses and reduce exposure. For a closer look at the findings and to learn more about the OSC&R framework, check out the full report [here].