Trust should be earned, yet, too often, we place our trust blindly. Software is one such example. Attacks like SolarWinds, and the vulnerability discovered in the Log4j open source library should serve as the wake-up call for developers that the software supply chain is vulnerable. There are too many players in the open source supply chain, which has become increasingly interconnected and complex, and attackers are scarily good at finding openings in the nooks and crannies. Zero trust says no more.

Finding and fixing software vulnerabilities is one thing. Finding and fixing software vulnerabilities that actually pose a real threat to your organization and others is something else entirely. Not all vulnerabilities are equal in terms of potential impact on an organization. And the difference between addressing all bugs discovered verse only the genuinely risky ones is the amount of time, money and other resources security teams are spending in their vulnerability management endeavors.

Concern is growing over the rise in software supply chain attacks and the need to develop better risk management policies. The software attack surface continues to grow, which in turn, increases risk. Recent high-profile attacks impacting companies including SolarWinds and Kaseya illustrate how vulnerable the software supply chain is today.

Organizations with legacy environments should be focused on reducing technical debt, which can expose businesses to exploits. In a recent article published by Forbes, Rezilion Co-Founder and CEO, Liran Tancman, discusses how restructuring organizations to better integrate tools such as SBOMs (Software Bills of Material) is a necessary step for the future. The use of such assets allows companies to reduce their workload by identifying the what matters in their software and eliminate unnecessary code.

Due to current challenges with vulnerability management today, it should come as no surprise that enterprises are regularly hit with cyber breaches related to software bugs. In fact, one Ponemon study finds 60% of breaches are the result of unpatched vulnerabilities. The real wonder is that it doesn’t happen more often. When it comes to managing the software flaws that bad actors can exploit to launch attacks, there is clearly room for improvement.

As we noted in the last post, the current approach to vulnerability management is simply not working. There needs to be a new and better way to find and fix vulnerabilities—one that doesn’t create backlogs, create friction on development teams and run up costs.

Anyone who thinks the status quo for vulnerability management is fine is not paying attention. Organizations are getting hit with significant breaches, hacks, ransomware and other attacks. And in many cases, software vulnerabilities are to blame for these incidents. Meanwhile, security teams are overwhelmed with the effort of patching software bugs, and the backlog for patching continues to grow longer.