Report: Malware and supply chain attacks threaten companies

Supply chain attacks, regulatory challenges and new technological developments – In the new report "The State of Software Supply Chain", Sonatype, provider of applications for supply chain management, has analyzed over seven million open source projects and identified trends and challenges.

Number of vulnerabilities more than doubled from year to year

With over 6.6 trillion downloads of open source components per year and the fact that open source packages now account for up to 90 percent of modern software applications, developers are faced with new challenges. The growing number of queries and dependencies, particularly in JavaScript (npm packages) and Python (PyPi libraries), has led to an increased risk of malware and supply chain attacks, i.e. the infiltration of malicious code, in recent years. The latter can affect code repositories, build systems and distribution channels.

In fact, the report identifies over 512,000 suspicious packages in the OSS ecosystem in the past year alone, which corresponds to an increase of around 156 percent year on year over the past few years.

The report observes a certain inertia that prevents companies from fixing vulnerabilities. This leads to a permanent risk, such as around the Log4Shell vulnerability, where insecure versions of the Log4j library are still in circulation even three years after it became known.

Hidden risks and security concepts

The challenges for software development are manifold. 80 percent of application dependencies remain unpatched for more than a year, although secure alternatives are available for 95 percent of these vulnerable versions. Software developers are not the only ones to blame. New versions can also be accompanied by more restrictive license conditions, which must always be reassessed for compliance reasons. Depending on the quality and clarity of the information, this can mean a considerable amount of work.

In addition, there are hidden risks – vulnerabilities that were classified as moderate at most in the CVSS (Common Vulnerability Scoring System) would often have to be classified as high or critical after manual assessment. This means that companies can quickly succumb to a false sense of security.

In order to manage the growing risks of software supply chains, Sonatype's analysis suggests various security concepts, in particular proactive measures for managing dependencies.

These include the integration of tools such as Software Composition Analysis (SCA) into the development processes and CI/CD pipelines or a Software Bills of Materials (SBOM). According to the report, projects that used an SBOM for their OSS dependencies were able to reduce their response time to security vulnerabilities by 264 days. As a provider of such tools, Sonatype also draws on its own data.

What are merely recommendations here will also become mandatory for some industries, for example when the Digital Operational Resilience Act (DORA) requires all financial companies to make considerable efforts to increase their resilience to cyber attacks from 2025.

The 60-page report The State of Software Supply Chain is available to view online free of charge (and can also be downloaded against registration) and takes into account data from over seven million monitored open source projects.

(dmk)