Why software supply chain attacks are increasing

Myriad software supply chain attacks continue to plague the global flow of goods. Here’s how modern observability takes aim at cybersecurity risks.

Software supply chain attacks emerge in full force

The COVID-19 pandemic unleashed massive disruption in the global supply chain. Product and labor shortages, factory shutdowns, geopolitical factors, and extreme weather all dampened the flow of goods through the chain. But today, software supply chain attacks are a key factor in the global movement of goods.

In 2021, these attacks grew by more than 300% compared with 2020, according to a study by Argon Security. Additionally, a global study of 1,000 CIOs indicated that 82% say their organizations are vulnerable to cyberattacks targeting software supply chains.

Open source vulnerabilities creeping in through the software supply chain are one key reason for this substantial increase. According to one survey, supply chain attacks on open source software increased 650% in 2021.

One such software supply chain attack reared its head in late 2021, with the Log4Shell vulnerability, which affected millions of live applications using Java libraries.

What is a software supply chain attack?

A software supply chain attack can occur when a malicious actor infiltrates a software vendor’s network and compromises the software before a vendor sends it to customers. A malicious actor chooses to exploit well-known and widespread open source vulnerabilities, such as Log4Shell. The compromised software can then compromise customer data or IT systems.

The increase in software supply chain attacks is partly due to the faster pace of business and, in turn, more rapid software release cycles. And as organizations hasten software development cycles to remain competitive, security vulnerabilities can make their way into live applications, because developers simply don’t have time to find and fix them.

Why are software supply chain attacks so damaging?

These kinds of attacks are particularly pernicious because even small changes can have widespread and damaging effects. A software supply chain attack requires only one compromised application or piece of code to affect the entire supply chain. Attacks often target weaknesses in application source code, which can compromise a trusted application or software system.

That’s because participants in the supply chain are more interconnected than ever. For example, Company A may rely on Supplier B, which has access to its enterprise resource planning or other systems. If Supplier B is compromised, it can easily affect Company A.

Data supports the fact that open source software can make it difficult for DevSecOps teams to identify vulnerabilities.

Indeed, according to Dynatrace research, 61% of survey respondents say the use of third-party or open source code can make it difficult to identify and resolve application vulnerabilities.

And in the supply chain, open source is clearly a vulnerability. According to a 2022 survey,  among 64% of organizations that experienced software supply chain attacks, approximately 70% lacked proper policies for using open source.

Further, the pace of software development can also make it difficult for companies to remediate events. According to Dynatrace research, 51% of respondents say the speed of modern software delivery makes it easier for vulnerabilities to re-enter production after remediation.

How shift left, shift right, and modern observability address software supply chain vulnerability

With these kinds of attacks, an organization can be vulnerable even if its own cybersecurity defenses are rigorous.

As organizations brace for potential software supply chain attacks in the future, they have to monitor the full software development lifecycle for points of vulnerability. Organizations need to identify whether there are risks in their own software development by “shifting left.” That is security testing and software composition analysis early in the software development process, thus the process of shifting to the “left” side of the DevOps lifecycle. But they also need to accept the risk that some vulnerabilities will make their way into live applications. As a result, they also need to “shift right” to explore runtime vulnerabilities in their production applications.

The now-infamous Log4Shell vulnerability took aim at holes in live applications’ security.  According to Dynatrace research, Log4Shell targeted some 95% of surveyed organizations with “severe” or “high” impact. Many organizations lacked the tools to quickly identify vulnerabilities in their production applications. With modern observability, organizations can instantly find and analyze application vulnerabilities, saving days or weeks to identify runtime application threats.

Automating DevSecOps and modern observability

Ultimately, organizations benefit by introducing greater automation into their DevSecOps processes with an observability approach.

Modern observability enables organizations to identify and prioritize runtime application vulnerabilities. Modern observability elevates traditional monitoring capabilities with AIOps (or AI for IT operations).

It provides contextual data analysis that identifies precise answers about the source of security issues. It also prioritizes which issues to address first. With Log4Shell-like events, identifying root causes and determining the criticality of issues is key. Further, modern observability can save DevSecOps teams critical time and manual effort in identifying, prioritizing, and remediating security vulnerabilities.

DevSecOps teams are clamoring for these kinds of precise, AI-based approaches to runtime vulnerabilities.

View partner security as your security

As software development cycles accelerate, organizations need to use DevSecOps automation and modern observability to identify vulnerability in software — whether in development or production. Further, organizations need to grasp that their vulnerability now extends far beyond their four walls to involve their relationships with third parties and code. Organizations should recognize their code is only as secure as the code practices of partners, as well. Modern observability can help extend your line of sight to these partner vulnerabilities by providing insight into risks throughout the stack.