How SolarWinds Uses Spectra Assure for Next-Gen Software Supply Chain Security
Watch Now
Your Go-To-Guide: Software Supply Chain Security for Dummies
Get the Guide
Webinar | AI in the Supply Chain: Balancing Innovation & Security in the AI Age
REGISTER NOW

The State of SSCS 2024: It's a Big Deal

January 18, 2024

In this episode of ReversingGlass, Matt reviews the new report from ReversingLabs, The State of Software Supply Chain Security 2024, and highlights some of the key takeaways. In short: It's a big deal.

Learn More

- Learn more: The State of Software Supply Chain Security 2024: Key takeaways
- Get report: The State of Software Supply Chain Security 2024
- Related: Software supply chain security risks addressed in new Gartner report

Episode Transcript

MATT ROSE: Hi everyone. Welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs. Very excited about this episode because it's a culmination, or a research project. It's going to talk about The State of Software Supply Chain Security 2024 research report that was created by a friend of mine and colleague Paul Roberts.

He was the one that spearheaded this report. And there's a ton of great information. From a standpoint of I'm giving you a sneak preview here. This is the report, the cover of the report. It's a very comprehensive report, but if you haven't guessed, software supply chain security or software supply chain, in general is kind of a big thing.

We'll borrow from Ron Burgundy here, and if you didn't know this, software supply chain security is kind of a big deal these days. But what does that mean? What are the kind of inner workings of this report? Well, I don't know if you guys know this, and I suggest everybody gets to the report, downloads the report and reads it.

But did you know that there were 12 major SSCS or software supply chain security breaches in the past year? Everyone knows kind of the big ones, but there's some underlying ones that are really important. So reading this report, you'll kind of dig into some of those things, but 12 major software supply chain security attacks in the past year.

That sounds like a dark cloud on the horizon, if you will. From a standpoint of the explosive growth of malware, this report talks about, and I'm not a big metrics guy, there's a ton of metrics and analytics within the report, but there was a 23 percent increase in malicious packages on npm and PyPI last year.

That's a 23 percent increase, but guess what? That was only in the first nine months of 2023 over 2022. So there was some more in there. And if you think about it too, from 2020, let me get my notes here. Yeah, to 2023, there has been a 1300 percent increase in vulnerable packaging in open source repos. Combine this with your first party code, with the potential compromise of the

tooling associated with the supply chain, the build environments, the code repos, all these type of things. This is the here and now. And as Ron Burgundy says, it is a big thing. So if you're not addressing software supply chain security in a way that not only identifies the how software supply chain attacks happen... you know, was it a secrets compromise?

Was it a build compromise? Was it a code repo compromise? Was it a credential compromise? There are many different ways that this can happen. Software supply chain security is a big thing to the point where new government agencies have been created just to address this topic. So ReversingLabs' The State of Software Supply Chain Security 2024 coming out for your pleasure for your reading, but you're going to learn a lot from this report. Again,

I appreciate Paul Roberts putting in all the work and effort on this, but this is, in my view, a foundational document to talk about where software supply chain security has been and where it's going into 2024. I'm Matt Rose, Field CISO at ReversingLabs. Thanks for watching and I hope you have a great day.

Matt Rose

About Author: Matt Rose

Field CISO at ReversingLabs. Matt Rose has an extensive background in application security, object-oriented programming, multi-tier architecture design and implementation, and internet/intranet development. His areas of expertise include Application Security, SAST, DAST, IAST, SCA, DevSecOps, and Threat Modeling. Matt is an accomplished public speaker and has been quoted in 50+ AST industry media publications.

Related episodes

Reproducible Builds: Graduate Your Application Security
ReversingGlass

Reproducible Builds: Graduate Your Application Security

What You Need to Know About Tampering
ReversingGlass

What You Need to Know About Tampering

Development Secrets: Shhhh... It's a Secret
ReversingGlass

Development Secrets: Shhhh... It's a Secret

The State of SSCS 2024: It's a Big Deal
ReversingGlass

The State of SSCS 2024: It's a Big Deal

ReversingGlass: ESF calls for software package final exams
ReversingGlass

ReversingGlass: ESF calls for software package final exams

ReversingGlass: Binary Analysis for SSCS
ReversingGlass

ReversingGlass: Binary Analysis for SSCS

ReversingGlass: SBOMS and threat modeling
ReversingGlass

ReversingGlass: SBOMS and threat modeling

ReversingGlass: EO on AI: What security teams need to know
Artificial Intelligence (AI)/Machine Learning (ML)

ReversingGlass: EO on AI: What security teams need to know

ReversingGlass: Software Supply Chain Attacks How vs. What
ReversingGlass

ReversingGlass: Software Supply Chain Attacks How vs. What

ReversingGlass: NIST CSF 2.0
ReversingGlass

ReversingGlass: NIST CSF 2.0

ReversingGlass: EPSS 3.0 + CVSS: Why Prioritizing Software Risk is Key
ReversingGlass

ReversingGlass: EPSS 3.0 + CVSS: Why Prioritizing Software Risk is Key

ReversingGlass: Happy Birthday, ReversingGlass
ReversingGlass

ReversingGlass: Happy Birthday, ReversingGlass

ReversingGlass: How Software Supply Chains Go Wrong
ReversingGlass

ReversingGlass: How Software Supply Chains Go Wrong

ReversingGlass: CISA SBD/SBD is HARD
ReversingGlass

ReversingGlass: CISA SBD/SBD is HARD

ReversingGlass: Trust must be complete
ReversingGlass

ReversingGlass: Trust must be complete

Why the Time Is Now for SSCS
ReversingGlass

Why the Time Is Now for SSCS

The Differences Between Vulnerabilities and Malware
ReversingGlass

The Differences Between Vulnerabilities and Malware

ReversingGlass: Must See at Black Hat
ReversingGlass

ReversingGlass: Must See at Black Hat

Software Security: Why Trust Matters
ReversingGlass

Software Security: Why Trust Matters

ReversingLabs at Black Hat 2023
ReversingGlass

ReversingLabs at Black Hat 2023

Shift Up Your SBOM
ReversingGlass

Shift Up Your SBOM

Forget Shift Left. Shift Up Instead.
ReversingGlass

Forget Shift Left. Shift Up Instead.

ReversingLabs @ InfoSecurity Europe 2023
ReversingGlass

ReversingLabs @ InfoSecurity Europe 2023

Application Hacks vs Software Supply Chain Hacks
ReversingGlass

Application Hacks vs Software Supply Chain Hacks

Behaviors and Diffs: Better Together for Software Security
ReversingGlass

Behaviors and Diffs: Better Together for Software Security

Reversing Glass on ReversingLabs
ReversingGlass

Reversing Glass on ReversingLabs

AI and Application Security: Proceed with Caution
Artificial Intelligence (AI)/Machine Learning (ML)

AI and Application Security: Proceed with Caution

What the heck is an SBOM?
ReversingGlass

What the heck is an SBOM?

Supply Chain Risks in Art and Life ... Even the 'The Simpsons'
ReversingGlass

Supply Chain Risks in Art and Life ... Even the 'The Simpsons'

Why CISA Secure by Design is Just a Starting Point
ReversingGlass

Why CISA Secure by Design is Just a Starting Point

ReversingLabs at RSA 2023 | ReversingGlass
ReversingGlass

ReversingLabs at RSA 2023 | ReversingGlass

SSCS Use Cases Are Growing
ReversingGlass

SSCS Use Cases Are Growing

Full-Coverage Supply Chain Security Explained
ReversingGlass

Full-Coverage Supply Chain Security Explained

How to Define Software Supply Chain Security
ReversingGlass

How to Define Software Supply Chain Security

Get Smart With Your Software Supply Chain Security
ReversingGlass

Get Smart With Your Software Supply Chain Security

The DNA of Software Supply Chain Security
ReversingGlass

The DNA of Software Supply Chain Security

A Brief History of App Sec: Why Software Supply Chain Security Is Now
ReversingGlass

A Brief History of App Sec: Why Software Supply Chain Security Is Now

C-SCRM: Much-needed definition for software supply chain policy & processes
ReversingGlass

C-SCRM: Much-needed definition for software supply chain policy & processes

ReversingLabs vs VirusTotal
ReversingGlass

ReversingLabs vs VirusTotal

SCA Is Good. SSCS Is Better.
ReversingGlass

SCA Is Good. SSCS Is Better.

Typosquatting and software supply chain security
ReversingGlass

Typosquatting and software supply chain security

What the heck are secrets?
ReversingGlass

What the heck are secrets?

What is Software Supply Chain Security Scanning
ReversingGlass

What is Software Supply Chain Security Scanning

CircleCI Hack & Software Supply Chain Risks
ReversingGlass

CircleCI Hack & Software Supply Chain Risks

What is ReversingGlass?
ReversingGlass

What is ReversingGlass?

Beyond the SBOM: Next steps are essential for secure software
ReversingGlass

Beyond the SBOM: Next steps are essential for secure software

DNA of an App: Why Traditional App Sec Testing Misses Modern Threats
ReversingGlass

DNA of an App: Why Traditional App Sec Testing Misses Modern Threats

SBOM Executive Order 14028
ReversingGlass

SBOM Executive Order 14028

Load more

Subscribe

Sign up now to receive the latest weekly
news from ReversingLabs

Get Started
Request a DEMO

Learn more about how ReversingLabs can help your company reduce attack surface risks with deep software and file threat analysis to speed release and response. 

REQUEST A DEMO