Lessons from the largest software-supply-chain incidents

In 2011, Marc Andreessen coined a phrase we're now all familiar with: "Software is eating the world." More than 13 years later, the expression still rings true. The world runs on software, and each day it continues to transform industries and fuel the global economy. Companies are generating more software — faster than ever before — in order to keep up in today's dynamic and ultracompetitive business landscape.

Innovation is a beautiful thing, but the increased volume and velocity with which software is being built and delivered creates more opportunities for something to go wrong in the software supply chain. Over the past decade, we've seen this happen time and time again.

Around this time last year, Okta disclosed that it had experienced a significant security breach, where bad actors gained access to private customer data through its support management system, highlighting the dangers of third-party risk. In 2020, the SolarWinds platform update mechanism was compromised and used to send malicious software that impacted more than 18,000 of its customers. And back in 2017, Equifax suffered a massive breach due to a failure to patch a known security flaw in its software.

This is just a small sampling of the types of software supply chain attacks that have plagued organizations over the past decade. Unfortunately, these attacks show no signs of slowing down — quite the opposite, actually.

Research indicates software supply chain attacks are occurring at a rate of one successful attack every two days, and Gartner predicts that by 2025, 45% of organizations will have experienced a software supply chain attack. Alarmingly, one report found that there has been a staggering 742% increase in these attacks over the past three years.

The uptick in software supply chain attacks can be attributed to a combination of several factors. Often, organizations simply don't realize the breadth of their exposure. As software shops move toward more sophisticated software delivery and consumption models (e.g., continuous integration/continuous delivery [CI/CD] and cloud), their supply chains become more vulnerable. Additionally, typical attack vectors have become increasingly difficult to exploit (thanks to vendors incorporating more sophisticated security measures into platforms and software), which has forced bad actors to uncover new vulnerabilities and become more creative in their attacks. More recently, the spike in adoption of generative AI (GenAI) tools like coding assistants has created new and difficult-to-monitor security gaps. At the same time, attackers are leveraging GenAI themselves to carry out more sophisticated attacks at a higher volume.

Enterprises must urgently find a balance between creating and releasing high-quality software quickly, while upholding a high level of security at each link in the software supply chain.

Here's how they can maintain security without impeding innovation:

To read the complete article, visit Dark Reading.