Supply chain security is rapidly emerging as a material risk for enterprise software buyers. Yet, despite best efforts from regulators to hold software publishers accountable, enterprise buyers continue to face financial, operational, and reputational impacts from successful attack campaigns on their software vendors.
While we have seen the development community, led by the likes of OpenSSF, make significant progress with frameworks and best practices to combat known vulnerabilities and threats, the same cannot be said for downstream consumers who have failed to make progress in mitigating risks.
Evidence of a failed defense effort is everywhere. Let’s start with a recent report from Gartner, “Mitigate Enterprise Software Supply Chain Security Risks,” which says software supply chain attacks have seen triple-digit increases.
Despite this dramatic rise in malicious activity, Gartner noted that security assessments are not performed as part of vendor risk management or procurement activities, which leaves organizations vulnerable to attacks. Additionally, in its 2024 Data Breach Investigation Report (DBIR) report, Verizon uncovered that breaches stemming from third-party software development organizations increased nearly 70% from their 2023 report.
We saw similar growth trends at ReversingLabs in our 2024 State of Software Supply Chain Security 2024 Report. Gleaning from our threat repository, containing over 40 billion malware and goodware files, the data reveals a 1,300% increase in malicious packages on major open-source software platforms since 2020.
Given the ubiquitous nature of software in today’s digital age, nearly every large enterprise consumes third-party commercial off-the-shelf (COTS) software.
But how do they know it’s safe? After all, the components that make up this software are all locked in a “black box” protected by intellectual property law and licensing protection. This opaque characteristic of third-party software makes quantifying, tracking, and controlling the security risk presented by it a growing challenge.
The good news is that awareness is growing fast, thanks in part to some high-profile incidents, including SolarWinds and MOVEit. These incidents are forcing enterprise security executives to acknowledge that third-party software represents one of the largest unaddressed attack surfaces.
In fact, the European Union Agency for Cybersecurity (ENISA) predicts that supply chain compromise of software dependencies will be the most prominent cyber threat in 2030. However, despite this growing awareness, few have figured out how to successfully gain visibility into and manage the security risk it presents. This puts enterprise software buyers at risk of losing customer data and eroding brand trust.
Trust is Not a Defense Strategy
There is little debate that enterprise security functions must take steps to evaluate the risks in their business’s commercial software. It’s when the discussion shifts to “how” that confusion begins. Let’s start with some methods that continue to consistently fall short of this feat:
- Vendor Security Questionnaires: This traditional “pen and paper” approach to managing third-party security risk is still the most widely used. However, it provides limited levels of assurance due to a reliance on vendor engagement and an inherent trust in their self-attestation statements. In the words of Gartner analysts, “The lack of transparency and trust within the global software supply chain has emerged as a critical issue for organizations of all kinds.”
- Software Bill of Materials (SBOM): Once the heir apparent to the questionnaire, it has become clear that the SBOM is nothing more than a list of ingredients. Yes, it lists all the components within a software application or system. But does it identify risks and threats therein? The answer is a resounding no.
- Security Rating Services: These services often rely on passive scanning of a vendor’s external facing infrastructure and public threat intelligence sources. Although these services provide valuable insights into the general security posture of the vendor, they overlook the security risk posed by the actual product (e.g., COTS software package) consumed by the customer.
- Penetration Testing (Pentesting): In a pentest, a business launches a simulated cyberattack on an application (as well as a system, network, etc.), but like these other options, there are significant flaws. For example, they are limited in scope and time, often failing to capture the breadth of attack techniques available to a malicious actor. There is also a significant price tag attached to pen testing, which can make it an unrealistic option for businesses on a larger scale.
It's Time to Open the Black Box
While the solutions above deliver some insights, they merely scratch the surface, ultimately missing the threats that thrust companies into the headlines. This includes everything from malware, tampering, and exposed secrets to application hardening and vulnerabilities.
Getting these details requires opening the black box of commercial software before it’s deployed within their organization. To effectively conduct such a task, a different set of capabilities is needed, such as complex binary analysis - which provides a comprehensive risk analysis of a complete application or software binary.
This process “unpacks” the software, extracting information from its embedded objects, with the ultimate goal of uncovering hidden risks and threats. The software is not dynamically run, thus a detailed analysis may be performed in an efficient and cost-effective manner.
Using this method, organizations can deconstruct and analyze commercial software packages without constraints like requiring access to the source code, the cooperation of the software vendor, or the need to engage in manual testing. This enables consumers of enterprise software to shed dependencies on their supplier base, obtaining the assurances they need through an independent verification of trust in software.
Although an approach like complex binary analysis represents a departure from traditional approaches to third-party risk management, it is essential to gain targeted risk insights at the product level, where malicious actors are implanting threats. Achieving these insights in an automated manner will enable the business to securely onboard third-party software at the speed of business.