New research warns that all companies using open source code in their software are at risk of supply chain attacks, regardless of size or industry.
A report from cybersecurity experts Checkmarx claims that despite the bleak outlook, things are looking good for application security (AppSec) leaders.
To create the State of Software Supply Chain Security 2024 report, Checkmarx surveyed 900 AppSec professionals across the U.S., Europe, and Asia Pacific. Of those surveyed, 100% said they had experienced a software supply chain attack in the past.
Insight into new risks
While this is certainly not good news, the trend over the past two years is promising. While nearly two-thirds (63%) said they had been a victim in the past two years, less than a fifth (18%) had experienced such an attack in the past year.
The news is troubling and AppSec professionals are aware of it. Three-quarters (75%) said they were either very concerned (39%) or concerned (36%) about the risks. However, they do not sit still. While more than half (56%) organizational applications included open source packages, 57% said software supply chain security was a “top” or “important” area of focus.
More than half (54%) plan to use or are currently investigating a potential solution, while 50% are requesting software BOMs from their suppliers.
For Amit Daniel, Chief Marketing Officer at Checkmarx, it is critical that CISOs and security managers make it easier for developers to understand the new risks and secure their entire software supply chain.
“’Malicious’ is much more than vulnerable. We have seen more attacks on the open source ecosystem in the past two years than ever before, with more than 385,000 malicious packages detected by our own Checkmarx security research team to date,” said Daniel. “Software supply chain security has become an active target of government regulators and cybersecurity agencies and is at the top of the agenda for more than half of the global enterprises we surveyed.”