RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research
Mario Vuksan

Software Supply Chain Security Just Got Its Own Magic Quadrant — and RL Is In It 

SSCS is a footnote that grew up, moved out, and got its own report. 

Read More about Software Supply Chain Security Just Got Its Own Magic Quadrant — and RL Is In It 
Software Supply Chain Security Just Got Its Own Magic Quadrant — and RL Is In It 

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

The inaugural Gartner® Magic Quadrant™ for Software Supply Chain Security is outGET THE REPORT
Skip to main content
Contact UsSupportBlogCommunity
reversinglabsReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsBlack Hat 2026
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top
AppSec & Supply Chain SecurityAugust 14, 2023

OWASP researcher: Supply chain attacks require going beyond vulnerabilities

Jeremy Long, who founded OWASP's Dependency Check Program, urges organizations to shift from traditional AppSec testing to tools that can remediate malicious threats.

smiling woman with glasses
Carolynn van Arsdale, Writer, ReversingLabs.Carolynn van Arsdale
FacebookFacebookXX / TwitterLinkedInLinkedInblueskyBlueskyEmail Us
car gear shift knob

It's not news that software supply chain attacks have become a pervasive threat. They have increased greatly — while becoming more complicated, varied, and targeted.

Jeremy Long, a principal engineer at ServiceNow and founder and project lead of the OWASP Dependency Check Program, said that from an attacker’s perspective, targeting the software development supply chain "just makes sense” given the “incomprehensibly large” attack surface and evolving complexity.

Long spoke at this year’s Black Hat conference in Las Vegas. In his talk, “Reflections on Trust in the Software Supply Chain,” he explained how the threat of software supply chain attacks has changed, adding that these changes are making organizations’ current defenses inadequate.

Here's why organizations need to turn their attention to malicious threats — not just vulnerable ones — to stop software supply chain attacks.

See related: Supply Chain Risk Report: Tooling Gap Leaves Orgs Exposed

Using yesterday’s tooling for today’s problems won’t cut it

Referring to the White House’s 2021 "Executive Order on Improving the Nation’s Cybersecurity," Long noted that there has been “frenzied activity” among organizations to better secure their software. This increased awareness of how important supply chain security can be, brought on by public policy, is a huge step in the right direction, he said. However, a defense gap remains.

This gap in security coverage is the result of changes in both the intention and methodology of software supply chain attacks. Long explained the difference between the two ways supply chain threats can be described: "vulnerable" and "malicious." And he said the tools that organizations are currently using to secure their supply chain, including software composition analysis (SCA) and static application security testing (SAST), only pinpoint the threats that can be classed as vulnerable.

The tracking of Common Vulnerabilities and Exposures (CVEs) is an example of a software supply chain security protocol that centers on vulnerable rather than malicious threats, which are intentional campaigns by threat actors meant to cause harm. When asked about CVEs and their impact on securing software supply chains, Long stressed that while these vulnerabilities at times have the potential to cause damage, they are not the major threat to supply chains.

I do think that in a lot of these cases, some of these vulnerabilities might be overhyped.

Jeremy Long

Long said that earlier software supply chain attacks relied on vulnerable threats that could be detected and patched. However, more recent supply chain attacks, such as SolarWinds and 3CX, were catastrophic not because of vulnerabilities but because of malicious threats, such as malware insertion or the abuse of secrets leaks. This is why focusing only on finding vulnerable threats, which tools such as SCA and SAST can spot, will leave a gap in organizations’ defenses against supply chain attacks.

What organizations should do to secure their software

Long said organizations should continue using measures such as provenance and the generation of software bills of material (SBOMs), which tools such as SCA and SAST tools can provide, but he added that if organizations want to properly defend against today's software supply chain attacks, they will have to adopt tooling and measures that detect and mitigate malicious threats.

He recommended modern tooling that uses binary source validation, which can detect threats such as malicious build-time dependencies. This type of protocol can provide a comparison of build versions, showcasing anomalies that traditional testing misses and that further analysis may deem malicious, Long said.

Keep learning

  • Learn how Gartner® named RL a supply chain security 'visionary.' Download: Gartner® Magic Quadrant™ for Software Supply Chain Security.
  • Get key insights into why Gartner® identified binary analysis as a must-have control in its recent CISO Playbook for Commercial Software Supply Chain Security.
  • Get up to speed on the Agentic Development Security tools landscape in this webinar with Forrester Sr. Analyst Janet Worthington.
  • Take a deep dive on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar discussing the findings.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Plus: Join the free Spectra Assure Community today to get hands-on with RL's binary analysis-based software supply chain security platform.

Tags:AppSec & Supply Chain Security

More Blog Posts

5 takeaways

2026 Gartner® Magic Quadrant™ for Software Supply Chain Security: 5 takeaways

The Magic Quadrant™ for Software Supply Chain Security is a 45-minute read. Here's what we feel security leaders need to pull from it.

Learn More about 2026 Gartner® Magic Quadrant™ for Software Supply Chain Security: 5 takeaways
2026 Gartner® Magic Quadrant™ for Software Supply Chain Security: 5 takeaways
OSS security

Should frontier AI firms fund OSS ecosystem security?

With a ‘vulnpocalypse’ expected, AppSec leaders are calling for the companies to invest in a Great Refactor Fund to secure open source.

Learn More about Should frontier AI firms fund OSS ecosystem security?
Should frontier AI firms fund OSS ecosystem security?
Agentic AI architecture

Agentic AI risk isn't a model problem. It's an architecture problem.

Agentic AI is moving the perimeter from components to data — and most strategies aren't built for that.

Learn More about Agentic AI risk isn't a model problem. It's an architecture problem.
Agentic AI risk isn't a model problem. It's an architecture problem.

The race to secure AI coding: 4 steps to rein agents in

Coding agents are privileged insiders — with keys to CI/CD pipelines even as they give rise to ‘slopsquatting.’ Here’s how to govern them.

Learn More about The race to secure AI coding: 4 steps to rein agents in
The race to secure AI coding: 4 steps to rein agents in
AI coding agents