The software supply chain has develop into a critical area for firms as they navigate an increasingly complex and interconnected digital landscape. A recent report from JFroga number one provider of software supply chain management solutions, highlights the growing challenges and risks firms face in securing their software ecosystems.
The “Software Supply Chain State of the Union 2024The report released last week shows that the trendy software supply chain is cross-technology, multi-sourced and multinational, with a major proportion of firms using greater than ten programming languages. “About half of organizations (53%) use 4-9 programming languages, while a major 31% use greater than 10 languages,” the report says.
This complexity has led to an explosion of open source packages and libraries available for constructing applications. “Docker and npm contributed probably the most to package types. PyPI contribution also increased, likely because of AI/ML use cases,” the report said. However, this abundance also presents a world of potential risks for firms.
In 2023 alone, security researchers disclosed over 26,000 recent CVEs (Common Vulnerabilities and Exposures) worldwide, continuing the trend of the variety of vulnerabilities increasing year-over-year. The report highlights that “probably the most common forms of vulnerabilities in 2023 were cross-site scripting, SQL injection and out-of-bounds write.” Cross-site request forgery was also more common.”
Misleading vulnerability assessments obscure the true risk
Shachar Menashe, senior director at JFrog Security Research, highlighted the misleading nature of Common Vulnerability Scoring System (CVSS) scores with regards to real-world exploitability. “Inherently, CVSS scores wouldn’t have a 'contextual' attack vector, although all library vulnerabilities are by definition contextual,” Menashe explained in an interview with VentureBeat. “This signifies that a vulnerability that’s exploitable by default will receive the identical rating as a vulnerability that is simply exploitable in an especially rare software configuration.”
The report also shows that “74% of CVEs with high and significant CVSS scores in the highest 100 images within the DockerHub community usually are not actually exploitable.” This highlights the importance of looking beyond the superficial vulnerability assessments and the assess actual risk based on the particular context and configuration of a corporation's software.
the reported common CVEs with high and significant CVSS scores
There are literally none in the highest 100 DockerHub community images
exploitable. (Image credit: JFrog)
Hidden risks lurk in software supply chains
The report also highlights the hidden risks lurking in software supply chains, with human error and exposed secrets accounting for a good portion of potential vulnerabilities. “Human error and exposed secrets represent a good portion of the potential risk in your software supply chain,” the report says.
Menashe elaborated on this point, explaining, “Scanning on the binary level (builds vs. source code) offers unique benefits because you might be then scanning and validating what is definitely running in production, and there are particular risks involved in the primary place “develop into visible when the code is compiled, particularly leaked secrets – which usually are not present within the source code but are then 'appended' to the ultimate image by the CI/CD pipeline.”
Disjointed security approaches cost helpful time and resources
Despite growing awareness of software supply chain risks, firms still struggle with disjointed security approaches that cost development teams helpful time and resources. The report found that “60% of execs say their team typically spends 4 days or more remediating application vulnerabilities in a given month.”
Menashe advises firms to prioritize vulnerabilities more effectively by investing in security solutions that contextualize scan results. “Just mentioning that CVEs are present within the scanned image or construct isn’t any longer enough. Contextual scanning will be done either statically or dynamically (runtime solutions), but ignoring context ends in roughly 75% false positives (conservative estimate), as we showed in each the last and this yr's reports,” he said.
The report also highlights the growing variety of application security tools as a possible problem for organizations. “The variety of security offerings available on the market is exploding, and for organizations, adopting so many security tools presents some significant challenges. Too many point solutions can result in gaps in coverage, competing results, and alert fatigue – which bogs down development workflows,” Menashe explained.
AI and machine learning bring recent challenges
The introduction of artificial intelligence (AI) and machine learning (ML) into software development has also brought recent challenges to the forefront. While “94% say their organization takes steps to confirm the safety and compliance of open source machine learning models,” the report states, “nearly one in five say their organization doesn’t use AI/ “ML support in code creation allows for security and compliance concerns.”
Looking ahead, Menashe predicts that using AI for coding will proceed to grow, but warns in regards to the security risks it could pose. “We expect the variety of firms using GenAI-developed code to proceed to grow at an alarming rate given its proven impact on developer productivity. However, it will be important for all developers and corporations to know that using such practices can have a huge effect on security and compliance, as GenAI cannot produce secure code despite such claims of their documentation,” he warned.
Menashe also pointed to a possible threat for 2024, explaining: “One thing CISOs should be looking out for in 2024 is that attackers are increasingly making the most of the proven fact that AI sometimes creates libraries that don't exist.” Bad guys initiate chat -GPT tools with requests from developers to see if the AI-generated code accommodates invented libraries. The attackers then create these libraries to seem legitimate. When a developer copies and pastes the code, they inadvertently point to a malicious package.”
Key recommendations for securing software supply chains
As organizations navigate the ever-evolving software supply chain landscape, the JFrog report serves as a wake-up call to prioritize security and take a comprehensive approach to managing software vulnerabilities.
Menashe offers several key recommendations for IT leaders trying to higher secure their software supply chains:
- “Organizations should prevent developers from downloading OSS packages directly from the Internet and as a substitute use an artifact management solution as an intermediary for proxy public registries. This enables organizations to review and secure artifacts entering their organization and proactively block malicious and unwanted packages before they reach the developer environment.”
- “You should manage all inputs (i.e. third-party and open source packages) and outputs (builds) that make up a software release in a single system that has seamlessly integrated end-to-end application security.” This states ensures security policies are applied consistently across teams and workflows, and provides DevOps and security teams a standard lens from which to operate.”
- “Organizations should adopt anti-tampering approaches similar to code signing to make sure that a possible release has not modified because it matures. By signing potential releases and promoting them across environments as software matures—moderately than rebuilding—you possibly can make sure that the software you release accommodates the secure, high-quality components you intended when it was originally compiled. “
By leveraging contextual scanning, consolidating security solutions, and proactively addressing the risks related to AI-generated code, firms can strengthen their software supply chains and protect themselves from the hidden threats lurking of their software ecosystems.
The JFrog report is a timely reminder that vigilance and a comprehensive approach to software supply chain security are more necessary than ever within the face of an ever-expanding attack surface.
