Business losses caused by attacks on software supply chains could exceed $80.6 billion by 2026, a 76% increase over estimated 2023 losses of $45.8 billion, a recent study by market researcher Juniper Research has found.
The 32-page report, titled "Vulnerable Software Supply Chains Are a Multi-Billion Dollar Problem," attributes the rapid rise in losses to two primary causes: increasing risks caused by the absence of security processes from software supply chains, and the rising complexity of software supply chains overall.
Adversaries are realizing that confusion is prevalent in software development, said ReversingLabs Field CISO Matt Rose, especially with the speed of releasing software and the siloing of responsibilities and activities associated with cloud-native development. "So the cost of recovering from a software supply chain breach is going to be astronomical unless addressed early," he said.
"With a software supply chain attack, instead of hacking a million people, a threat actor can hack one thing that infects a million people. Then the software company has to pay damages and suffers reputation loss."
—Matt Rose
Here's a full rundown on the Juniper Research report, with analysis of the key problems that need to be addressed to minimize risk — and cost.
[ Get White Paper: How to Assess & Manage Commercial Software Risk ]
Shift in focus needed, from vulnerabilities and toward malware
The report said that many businesses and industries lack sufficient cybersecurity resources to adequately harden their software supply chains — in many cases due to inadequate access to effective cybersecurity training or a failure to recognize the value of the data they work with or process.
Without a paradigm shift in the cybersecurity management of software supply chains, losses will continue to mount from cyberattacks, Rose said.
He said the shift needed should include focusing more on malware compromises to software supply chains. So much time and resources are being spent on looking for OWASP Top 10 vulnerabilities, pre-compiled state vulnerabilities, running state vulnerabilities, and API vulnerabilities, Rose said, that software engineers haven't caught on to the concept of an application containing malware.
"Software supply chain risk is about malware. It's about getting malware into a piece of software or application in a way that's unknown or unanticipated. People have to stop just thinking about vulnerabilities and start thinking about risk and how to identify it early and respond to it quickly."
—Matt Rose
Digital transformation means companies are vulnerable
The Juniper report pointed to digital transformation as one of the leading contributors to cybersecurity risk for the software supply chain. Digitizing elements of the supply chain means it is increasingly vulnerable to disruption from cyberattack.
In addition, the introduction of digital elements to both product delivery and the traditional supply chain means that areas not usually considered part of the supply chain now need to be assessed when companies are looking to secure their sources of products and services.
What's needed is a comprehensive strategy that leverages a wide range of products, solutions, and regulatory compliance strategies to ensure the security and resilience of the industrial supply chain, the Juniper report said. Organizations need to think beyond the supply and movement of goods, to the supply of systems used to monitor and coordinate goods and services, including hardware and software systems that are used in the provision of a service.
They also need to include software updates and other services after a product's sale, as well as the software itself when it's used as a component in the delivery of finished goods — just as with connected devices.
The report author, Juniper Head of Research Nick Maynard, said in a statement that the two supply chain issues were interconnected and a multiplier of risk.
“The software supply chain has been neglected over the years as a source of risk, leading to a situation where organizations face significant issues, if they cannot change the way they operate. As software supply chains become more complex, the problem becomes exponentially more complicated, requiring immediate attention to resolve, through regulations, SBOMs [software bills of materials], embedded security, and cybersecurity solutions."
—Nick Maynard
Priorities and alignment with stakeholders are key
The report lays out several priorities for securing the software supply chain:
- Know your suppliers. Only by getting deeply involved with their suppliers can private- and public-sector organizations determine the full breadth of their software supply chain and identify risks associated with it. These organizations should use the parameters of strict tendering processes that promote SBOM transparency to ensure that suppliers are compliant.
- Consider immediate software updates. “Secure now” does not mean “secure later." Staying on top of software updates throughout the entire software supply chain is vital to ongoing security. These efforts should be paired with identifying resilient technologies (particularly security solutions) designed with security built in.
- Raise awareness internally. Software elements of the supply chain can “fly under the radar.” Only through raising awareness and building hardened processes can these secure needs be met.
Increased demand for SBOMs is coming
The growth in software supply chain risk identified in the Juniper report was affirmed in a survey released by Capterra, an online marketplace vendor owned by Gartner. That survey of 271 IT security pros conducted in April found that 61% of businesses have been affected by a supply chain threat in the last 12 months.
Capterra analyst Zack Capers wrote:
"And if your company is one of the lucky 39% that made it through the last year unscathed, it’s likely luck more than anything. That’s because the vulnerabilities wrought by software supply chain vulnerabilities are difficult to defend against."
Capterra's survey also found that:
- Half the IT security pros surveyed say the software supply chain threats to their organizations are high or extreme.
- A majority of businesses (64%) conduct formal risk assessments and practice privileged access management (61%) to boost defenses against supply chain threats.
- Nearly all companies (94%) use at least one open-source platform, and more than half (57%) use multiple platforms.
Capers noted that open-source software is one of the many reasons for the rising demand among companies and government agencies for vendors to supply SBOMs to them. The survey found that nearly half of businesses (49%) say they're requesting SBOMs from vendors as part of their defense strategy against software supply chain threats.
Software supply chain security is mission-critical
The software supply chain is a mission-critical entity that affects all organizations that rely on technology to carry out their day-to-day operations, the Juniper report explained.
It is important for all stakeholders to consider how to best approach the security of their software supply chains. This requires closely examining their current approach, knowing which software and suppliers are involved, and ensuring that appropriate and necessary security mitigations are applied, the report added.
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.