By now we know that software supply chain security issues are plentiful. And perhaps you’ve (wisely) decided that it’s a good idea to secure your software supply chain…you just haven’t gotten around to dealing with it yet, given other organizational priorities. The more software you use, the more important it becomes to secure it. Software supply chain attacks are increasing, and there are major implications if you don’t.

In my previous blog post, I looked at how software supply chain attacks work and what you can do to assess and analyze your security posture. Now, let’s figure out how to use the resultant information to harden your software supply chain against threats.

Kroll’s findings for Q2 2023 reveal a notable shift toward increased supply chain risk, driven not only by the CLOP ransomware gang’s exploitation of the MOVEit transfer vulnerability, but by a rise in email compromise attacks. This and other key security trends are shaping a threat landscape in which diverse cyber threats are present.

As CISOs and CSOs craft or broaden their software supply chain security programs, they will be faced with an overwhelming number of tools in a variety of categories. Even with product consolidation, it may be confusing to figure out what they need in their tech stack. It’s no wonder–the software supply chain is comprised of code, configurations, proprietary and open source components, libraries, plugins, and container dependencies that are mainly derived from third-party providers.

In today’s complex and interdependent world, it’s incredibly difficult to deliver a product or service without a supply chain. But this dependency creates additional risks – from reputational losses to major business disruptions. And with 62% of organizations being impacted by supply chain cyberattacks in 2021, mitigating risks created by third parties is extremely important.

In 2022, nearly 1,700 entities across the globe fell victim to software supply chain attacks, impacting over 10 million people. Nearly each of these attacks included some element of faulty or nefarious open-source code. Software developers commonly rely on open-source components to speed up the development process, but as we can see, this practice has the potential to introduce malicious packages and vulnerabilities into the code due to the lack of proper curation and maintenance.

When it comes to applications and software, the key word is ‘more.’ Driven by the needs of a digital economy, businesses depend more and more on applications for everything from simplifying business operations to creating innovative new revenue opportunities. Cloud-native application development adds even more fuel to the fire. However, that word works both ways: Those applications are often more complex and use open-source code that contains more vulnerabilities than ever before.

The supply chain, already fragile in the USA, is at severe and significant risk of damage by cyberattacks. According to research analyzed by Forbes, supply chain attacks now account for a huge 62% of all commercial attacks, a clear indication of the scale of the challenge faced by the supply chain and the logistics industry as a whole.