COMMENTARY
The complexity of today’s software development — a mix of open source and third-party components, as well as internally developed code — has resulted in an abundance of vulnerabilities for attackers to exploit throughout the software supply chain.
We’ve seen the direct effects of software supply chain attacks in incidents like the MOVEit and SolarWinds breaches, revealing that no industry sector, size of company, or stage of software development is immune. According to a survey from Enterprise Strategy Group (ESG), 91% of organizations experienced at least one software supply chain security incident in 2023, and 2024 hasn’t seemed any better.
Security teams are overwhelmed by the task of sorting through, assessing, and prioritizing the mitigation of tens of thousands of alerts to discern those that pose real risk from those that are benign. In 2023, a group of AppSec experts addressed this problem by launching the Open Software Supply Chain Attack Reference (OSC&R), a freely available, MITRE ATT&CK-like framework to help organizations gain a deeper understanding of their software supply chain vulnerabilities.
The OSC&R community’s inaugural report, “OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures,” offers a comprehensive analysis of the severity of vulnerabilities across the software supply kill chain. Based on a nine-month analysis of over 100 million alerts, tens of thousands of code repositories, and 140,000 real-world applications, it examines the risk to software supply chains and probes the alignment between the vulnerabilities found in the wild and the focus of AppSec teams today.
The research offers some eye-opening statistics, including that 95% of organizations have at least one high, critical, or apocalyptic risk in their software supply chain, with the average organization having nine such issues. What’s more, the OSC&R data shows that many of the most common software supply chain vulnerabilities are tied to fundamental security controls, such as authentication, encryption, publicly available information in logs, and the principle of least privilege. Following are some of the most important takeaways from the report.
1. Watch for Run-Time Exposure
One in five applications was found to contain high, critical, or apocalyptic runtime vulnerabilities during the execution phase of an attack. This makes them prime targets for attackers. Because the most significant software vulnerabilities tend to surface in later attack stages, it’s crucial to catch issues early in the software development life cycle.
As such, AppSec and DevOps teams should aim to strengthen application runtime security. This can be accomplished by integrating continuous monitoring and real-time protection mechanisms that focus on the later stages of an attack, when the damage potential is greatest.
2. It’s Worth Fixing Older Vulnerabilities
While newer vulnerabilities may grab headlines, older vulnerabilities remain the most common attack vectors when it comes to supply chain security. Techniques like command injection (15.4% of applications), sensitive data in log files (12.4% of applications), and cross-site scripting (11.4% of applications) — as well as slow-burn vulnerabilities like CVE-2024-3094, which targeted the compression utility XZ Utils in major Linux distributions — still wreak havoc in unpatched systems. Attackers continue to successfully use historical tactics and techniques, showing that “old school” vulnerabilities present significant and persistent risks.
To counter these tactics and techniques and drive down the opportunity for attack, organizations should regularly review and update legacy systems and codebases to patch known vulnerabilities. Further, implementing a robust vulnerability management program that includes continuous scanning for both old and emerging threats will harden software to known risks.
3. Vulnerabilities That Span Multiple Attack Stages Amplify Damage
In the OSC&R report data analysis, 36% of applications were found to be vulnerable to exploits in the initial access attack stage, with many overlapping across multiple stages of attack. Indeed, vulnerabilities in initial access stages often open the door for more severe threats, such as persistence and execution exploits.
The data underscores the need for AppSec and DevOps team to bolster defenses across all stages of the attack life cycle, not just in initial phases. Organizations should adopt multilayered security solutions that can detect and neutralize threats at various stages of the kill chain to prevent attackers from moving laterally within systems and causing widespread cyber and business damage.
Next Steps for AppSec Teams
One of the questions the inaugural OSC&R report sought to answer was whether what AppSec and DevOps teams focus on matched the vulnerabilities found in the wild. The data reveals that this is not yet the case. Progress is being made, but the high volume of vulnerabilities passing through the supply chain into live applications, and the large percentage of organizations that report supply chain security incidents, indicate that greater focus on proactive software security measures is needed.
In addition, organizations need to do a better job of looking systemically at both their software development processes and the attack lifecycle to identify the places most likely to be at risk. But historical data alone is not the answer. Organizations must implement the tools and processes that give them holistic visibility of their supply chain — from the build stage all the way through runtime, and including the development and testing environments, which are occasionally overlooked.
Further, it’s clear that focusing on one or two stages of software development or one stage of the attack lifecycle isn’t enough. Businesses must adopt a multilayered, full-lifecycle AppSec strategy — accompanied by tools that can unify all stages — to reduce the probability of attack.
Development and security teams now have a reference they can use to map their programs to known attack vectors and tactics. OSC&R, in effect, sets the foundation for operating a streamlined software security program that reduces the number of vulnerabilities that reach production, enhancing the resiliency of the organization as a whole and easing the fears of breach due to software flaws.