Story image

Huge vulnerabilities in software supply chain being exploited

04 Oct 2018
Sponsored

Cybersecurity breaches are occurring seemingly every week. The one good thing you could say comes from this is that businesses are able to learn from others’ mistakes.

However, Sonatype’s recently released ‘2018 State of the Software Supply Chain’ report reveals this isn’t the case.

For example, no introduction is necessary for one of the largest breaches of all time. Equifax was laid bare due to a Struts visibility, and despite this, Sonatype has recorded eight further Struts breaches this year alone, in addition to a new battlefront of attacks on open source releases that have affected tens of thousands of developers.

Sonatype vice president Derek Weeks says today’s organisations are finding they have to embrace open source software in the software development lifecycle in a bid to get it out the door and maintain a competitive edge. However, this rush is effectively leaving the door open for cybercriminals as they have already proven they have the intent and ability to exploit security vulnerabilities in the software supply chain.

“Organisations are building out armies of software developers, consuming extraordinary amounts of open source components, and equipping teams with tools designed to automate and optimise the entire software development lifecycle,” says Weeks.

“Innovation is critical, speed is king, and open source is at centre stage.”

A grim picture painted from findings in the report clearly shows why there is need for concern:

  • Software developers downloaded more than 300 billion open source components in the past year alone, while one in eight of those components contained known security vulnerabilities, a 120 percent year on year increase.
  • The mean time for these vulnerabilities to exploit compressed by 93.5 percent, from 45 days to a measly three days.
  • Despite the consistent breaches, organisations remain very much in the dark with 1.3 million vulnerabilities in open source software components lacking a corresponding CVE advisory in the public NVD database.
  • Meanwhile, 62 percent of organisations admitted to not having meaningful controls over what open source software components are used in their applications.

So what then is the solution? Sonatype CEO Wayne Jackson says it lies in proper management, which along with further findings is outlined in the company’s 2018 report.

“As open source accelerates to its zenith of value, the underlying fundamentals of the ecosystem and the infrastructure supporting it, are increasingly at risk,” says Jackson.

“This year’s report proves, however, that secure software development isn’t out of reach. The application economy can grow and prosper in regulated, secure environments, if managed properly.”

The 2018 State of the Software Supply Chain Report highlights new methods cybercriminals are employing to infiltrate software supply chains, offers expanded analysis across languages and ecosystems, and more deeply explores how government regulations are likely to impact the future of software development.

Click here to view the full Sonatype report.

Chillisoft rounds out portfolio with file integrity vendor
Tripwire is the fourth vendor for Chillisoft in six months, adding critical security controls, vulnerability management and file integrity monitoring.
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Optic Security Group celebrates Axis accolade
Auckland-based business security systems provider Fortlock has picked up an award at Axis Communications’ annual Oceania Axis Partner Summit 2019.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.