Nearly two-thirds of large organizations globally were hit by software supply chain attacks in the last two years, according to new research from Checkmarx..
Checkmarx's 2024 State of Software Supply Chain Security report, which surveyed 900 application security professionals from the US, Europe, and Asia-Pacific, found 63% had been the victim of such an attack within the past two years, with 18% hit in the last year.
Similarly, with 56% of respondents’ organizational applications comprising open source code packages, three-quarters said they were either very concerned or concerned about software supply chain security.
"‘Malicious’ is much more than vulnerable," said Amit Daniel, chief marketing officer at Checkmarx.
"We have seen more attacks on the open source ecosystem in the last two years than ever before with over 385,000 malicious packages detected to date by our own Checkmarx security research team."
However, the report found while enterprise AppSec leaders surveyed are prioritizing software supply chain security, progress is slow.
Nearly six-in-ten respondents said that software supply chain security was a top or significant area of focus, with 54% planning to use or investigating the use of a solution. Eight-in-ten said that finding a solution was a top priority.
But while half are actively requesting software bills of materials (SBOMs) from their vendors, fewer than half of those seeking these said they knew how to leverage them effectively if needed, and only 7% said they have proper security tools in place.
"Software supply chain security has become an active target of government regulatory and cybersecurity agencies and is top of mind for over half of global enterprises we surveyed," Daniel said.
"It’s critical for CISOs and security leaders to make it easier for developers to understand the new risks and secure their entire software supply chain."
Recent research from BlackBerry revealed three-quarters of UK IT decision-makers have been notified of a software supply chain vulnerability or attack in the last twelve months, with 38% taking up to a month to recover.
The US National Institute of Standards and Technology (NIST) recently issued new guidance on software supply chain risks, advising the use of endpoint protection software, network security controls, access control policies and physical security measures.
Developers should download open source as source code rather than pre-compiled libraries or binaries, and should verify digital signatures, run vulnerability scans, and check for recent updates on newly downloaded source-code, it said.
