Story image

Huge vulnerabilities in software supply chain being exploited

04 Oct 2018
Sponsored

Cybersecurity breaches are occurring seemingly every week. The one good thing you could say comes from this is that businesses are able to learn from others’ mistakes.

However, Sonatype’s recently released ‘2018 State of the Software Supply Chain’ report reveals this isn’t the case.

For example, no introduction is necessary for one of the largest breaches of all time. Equifax was laid bare due to a Struts visibility, and despite this, Sonatype has recorded eight further Struts breaches this year alone, in addition to a new battlefront of attacks on open source releases that have affected tens of thousands of developers.

Sonatype vice president Derek Weeks says today’s organisations are finding they have to embrace open source software in the software development lifecycle in a bid to get it out the door and maintain a competitive edge. However, this rush is effectively leaving the door open for cybercriminals as they have already proven they have the intent and ability to exploit security vulnerabilities in the software supply chain.

“Organisations are building out armies of software developers, consuming extraordinary amounts of open source components, and equipping teams with tools designed to automate and optimise the entire software development lifecycle,” says Weeks.

“Innovation is critical, speed is king, and open source is at centre stage.”

A grim picture painted from findings in the report clearly shows why there is need for concern:

  • Software developers downloaded more than 300 billion open source components in the past year alone, while one in eight of those components contained known security vulnerabilities, a 120 percent year on year increase.
  • The mean time for these vulnerabilities to exploit compressed by 93.5 percent, from 45 days to a measly three days.
  • Despite the consistent breaches, organisations remain very much in the dark with 1.3 million vulnerabilities in open source software components lacking a corresponding CVE advisory in the public NVD database.
  • Meanwhile, 62 percent of organisations admitted to not having meaningful controls over what open source software components are used in their applications.

So what then is the solution? Sonatype CEO Wayne Jackson says it lies in proper management, which along with further findings is outlined in the company’s 2018 report.

“As open source accelerates to its zenith of value, the underlying fundamentals of the ecosystem and the infrastructure supporting it, are increasingly at risk,” says Jackson.

“This year’s report proves, however, that secure software development isn’t out of reach. The application economy can grow and prosper in regulated, secure environments, if managed properly.”

The 2018 State of the Software Supply Chain Report highlights new methods cybercriminals are employing to infiltrate software supply chains, offers expanded analysis across languages and ecosystems, and more deeply explores how government regulations are likely to impact the future of software development.

Click here to view the full Sonatype report.

SUSE completes move to independence
“Current IT trends make it clear that open source has become more important in the enterprise than ever before."
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
SAS announces US$1 billion investment in AI
"At SAS, we remain dedicated to our customers and their success, and this investment is another example of that commitment."
Two Ministers’ thoughts on blockchain in Oz
Minister Karen Andrews, and Minister Simon Birmingham have released a joint statement on the national blockchain roadmap and extra $100,000 funding.
IntegrationWorks continues expansion with new Brisbane office
The company’s new office space at the Riverside Centre overlooks the Brisbane River and Storey Bridge.
DXC subsidiary takes SAP energy industry partner award
Winners of the awards were selected from SAP’s A/NZpartner ecosystem and announced at the recent SAP A/NZ Partner Kick-Off Meeting held in Sydney.
NetApp and allegro.ai showcase an integrated solution for deep learning
Unlike traditional software, in deep learning, the data rather than the code is of the utmost importance.
Opinion: Moving applications between cloud and data centre
OpsRamp's Bhanu Singh discusses the process of moving legacy systems and applications to the cloud, as well as pitfalls to avoid.