A flaw anywhere in the supply chain cascades out from the point of origin of the vulnerability or breach, sometimes all the way to the end user, and it has the potential to have devastating impacts. Because of its complexity and connectivity, the software supply chain presents an ever-expanding attack surface. For example, threat actors can take advantage of compromised software and the frequent communication across networks to get privileged access to networks and organizations. That enables these bad actors to bypass perimeter security and appear as legitimate users or accounts, and once inside—and with permissions—they can wreak havoc.
Do you know the composition of the software in your applications—including both open source and proprietary code? Do you know which components and versions they use? Open source software is everywhere; it’s a critical component in all modern application development. Our analysis of commercial codebases in the Synopsys “Open Source Security and Risk Analysis” (OSSRA) report shows that almost all (98%) codebases contain open source software. And that number is 100% in the energy and clean tech, cybersecurity, Internet of Things, and computer hardware and semiconductor industries. The report also shows that 81% of codebases contain at least one known open source vulnerability.
As a result of the prevalence of open source software, the supply chain is more complicated and obscure, and involves more links and dependencies than ever before. The only way to mitigate the risk is to maintain visibility into the open source software in use, and address the areas of risk as they are identified.
Additionally, your proprietary code is written by developers, who tend to not have much security experience or training. Similar to open source software, the risks of proprietary code are complex and can be difficult to identify, even by seasoned security experts. However, these vulnerabilities in your own code can serve as entry points to sensitive data and systems. This is why it’s so important to secure proprietary software alongside third-party code in an application.