Software supply chains are becoming a worrying weak link for firms of all sizes

Open Source
Image credit: Shutterstock/ Imilian (Image credit: Shutterstock)

All companies that use open source code in their software are at risk of supply-chain attacks, regardless of their size or industry they’re in, new research has warned.

A report from cybersecurity experts Checkmarx claims despite the grim outlook, things are looking up for application security (AppSec) leaders.

To draft its 2024 State of Software Supply Chain Security report, Checkmarx surveyed 900 AppSec professionals in the US, Europe, and Asia-Pacific - but all of them - 100% - claimed to have experienced a software supply chain attack at some time in the past.

Understanding new risks

While this definitely isn’t good news, the trend in the last two years shows promise. While almost two-thirds (63%) reported falling victim within the past two years, less than a fifth (18%) suffered such an attack within the past year. 

The news is worrisome, and AppSec pros are aware of it. Three-quarters (75%) said they were either very concerned (39%) or concerned (36%) about the risks. However, they’re not sitting idly. While in more than half (56%), organizational applications contain open-source packages, 57% said software supply chain security was a “top”, or “significant” area of focus. 

More than half (54%) are planning to use, or are currently investigating, a potential solution, while 50% are requesting software bills of materials from their vendors. 

For Amit Daniel, Chief Marketing Officer at Checkmarx, it’s critical for CISOs and security leaders to make it easier for developers to understand the new risks and secure their entire software supply chain.

“‘Malicious’ is much more than vulnerable. We have seen more attacks on the open source ecosystem in the last two years than ever before with over 385,000 malicious packages detected to date by our own Checkmarx security research team” Daniel said. “Software supply chain security has become an active target of government regulatory and cybersecurity agencies and is top of mind for over half of global enterprises we surveyed.”

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.