The software supply chain has emerged as a vital concern for enterprises facing an increasingly complex digital landscape. A recent JFrog report highlights the escalating challenges organizations encounter in securing their software ecosystems.
The “Software Supply Chain State of the Union 2024,” published last week, indicates that today's software supply chains are diverse and global. Many organizations, about 53%, use between four to nine programming languages, with an impressive 31% relying on over ten languages.
This complexity has resulted in a surge of open-source packages and libraries for application development. According to the report, “Docker and npm were the most-contributed package types, with PyPI contributions also growing, likely due to AI/ML use cases.” However, this wealth of resources brings potential risks to organizations.
In 2023, security researchers reported over 26,000 new Common Vulnerabilities and Exposures (CVEs), continuing a trend of increasing vulnerabilities. The report notes that the most common vulnerabilities this year were Cross-site Scripting, SQL Injection, and Out-of-Bounds Write, with Cross-Site Request Forgery becoming more prevalent.
Misleading CVSS Scores Mask Real Risk
Shachar Menashe, Sr. Director of JFrog Security Research, pointed out the deceptive nature of Common Vulnerability Scoring System (CVSS) scores regarding actual exploitability. “CVSS scores do not consider context-dependent attack vectors. Consequently, a default-exploitable vulnerability receives the same score as a vulnerability that is only exploitable under rare conditions,” Menashe explained. The report reveals that a staggering 74% of high and critical CVEs on the top 100 DockerHub images are not exploitable, underscoring the need for a deeper assessment of risks based on an organization’s specific context and configuration.
Hidden Risks in Software Supply Chains
The report identifies human error and exposed secrets as significant vulnerabilities within software supply chains. Menashe emphasized the advantages of scanning at the binary level, stating, “Scanning and validating what will run in production can uncover exposures that only appear once code has been compiled.” Issues like leaked secrets often bypass detection in source code but surface in the final image due to the CI/CD pipeline.
Disjointed Security Approaches Drain Resources
Despite increasing awareness, organizations often face fragmented security protocols that waste time and resources. The report revealed that 60% of professionals spend four or more days per month remediating application vulnerabilities.
Menashe recommends prioritizing vulnerabilities through investments in security solutions that contextualize scanning results, stating, “Merely flagging CVEs isn’t adequate. Contextual scanning, whether static or dynamic, is essential. Ignoring context leads to approximately 75% false positives.”
The report also addresses the challenges posed by an overwhelming number of security tools. Menashe noted that an excess of point solutions can create coverage gaps and result in alert fatigue, hindering development workflows.
AI and Machine Learning Introduce New Risks
The rise of artificial intelligence (AI) and machine learning (ML) in software development introduces its own risks. While 94% of organizations review the security of open-source machine learning models, nearly 20% refrain from using AI/ML for code creation due to security concerns.
Menashe predicts that the use of AI for coding will increase but warns of associated security risks. "While GenAI can significantly boost developer productivity, it's crucial for developers to recognize that such practices can threaten security and compliance, as GenAI often fails to produce secure code," he cautioned.
He also alerts CISOs to the potential for attackers exploiting AI's tendency to fabricate non-existent libraries, enabling the creation of malicious packages that developers may inadvertently use.
Key Recommendations for Securing Software Supply Chains
As organizations navigate the evolving software supply chain landscape, the JFrog report serves as a critical reminder to prioritize security and adopt a comprehensive risk management approach.
Menashe offers key recommendations for IT leaders:
1. Restrict direct downloads of open-source software (OSS) packages from the internet, using an artifact management solution to review and secure artifacts before they reach the developer environment.
2. Manage all inputs and outputs involved in software releases within a unified system that incorporates end-to-end application security to ensure consistent policy application across teams.
3. Implement anti-tampering measures such as code-signing to maintain the integrity of releases, ensuring only the intended, secure components are included as software matures.
By adopting contextual scanning, consolidating security efforts, and proactively addressing risks related to AI-generated code, enterprises can strengthen their software supply chains and protect against hidden threats.
The JFrog report highlights the urgency for vigilant, comprehensive approaches to software supply chain security in light of an increasingly expansive attack surface.