<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">

OWASP researcher: Supply chain attacks show organizations must shift beyond vulnerabilities

Jeremy Long, who founded the group's Dependency Check Program, says organizations need to shift from traditional app sec testing to tools that can remediate malicious threats.

Carolynn van Arsdale
Blog Author

Carolynn van Arsdale, Cyber Content Creator at ReversingLabs.


It's not news that software supply chain attacks have become a pervasive threat. They have increased greatly — while becoming more complicated, varied, and targeted.

Jeremy Long, a principal engineer at ServiceNow and founder and project lead of the OWASP Dependency Check Program, said that from an attacker’s perspective, targeting the software development supply chain "just makes sense” given the “incomprehensibly large” attack surface and evolving complexity. 

Long spoke at this year’s Black Hat conference in Las Vegas. In his talk, “Reflections on Trust in the Software Supply Chain,” he explained how the threat of software supply chain attacks has changed, adding that these changes are making organizations’ current defenses inadequate. 

Here's why organizations need to turn their attention to malicious threats — not just vulnerable ones — to stop software supply chain attacks. 

[ See related: Supply Chain Risk Report: Tooling Gap Leaves Orgs Exposed ]

Using yesterday’s tooling for today’s problems won’t cut it

Referring to the White House’s 2021 "Executive Order on Improving the Nation’s Cybersecurity," Long noted that there has been “frenzied activity” among organizations to better secure their software. This increased awareness of how important supply chain security can be, brought on by public policy, is a huge step in the right direction, he said. However, a defense gap remains.

This gap in security coverage is the result of changes in both the intention and methodology of software supply chain attacks. Long explained the difference between the two ways supply chain threats can be described: "vulnerable" and "malicious." And he said the tools that organizations are currently using to secure their supply chain, including software composition analysis (SCA) and static application security testing (SAST), only pinpoint the threats that can be classed as vulnerable. 

The tracking of Common Vulnerabilities and Exposures (CVEs) is an example of a software supply chain security protocol that centers on vulnerable rather than malicious threats, which are intentional campaigns by threat actors meant to cause harm. When asked about CVEs and their impact on securing software supply chains, Long stressed that while these vulnerabilities at times have the potential to cause damage, they are not the major threat to supply chains. 

“I do think that in a lot of these cases, some of these vulnerabilities might be overhyped.”
Jeremy Long

Long said that earlier software supply chain attacks relied on vulnerable threats that could be detected and patched. However, more recent supply chain attacks, such as SolarWinds and 3CX, were catastrophic not because of vulnerabilities but because of malicious threats, such as malware insertion or the abuse of secrets leaks. This is why focusing only on finding vulnerable threats, which tools such as SCA and SAST can spot, will leave a gap in organizations’ defenses against supply chain attacks. 

What organizations should do to secure their software

Long said organizations should continue using measures such as provenance and the generation of software bills of material (SBOMs), which tools such as SCA and SAST tools can provide, but he added that if organizations want to properly defend against today's software supply chain attacks, they will have to adopt tooling and measures that detect and mitigate malicious threats. 

He recommended modern tooling that uses binary source validation, which can detect threats such as malicious build-time dependencies. This type of protocol can provide a comparison of build versions, showcasing anomalies that traditional testing misses and that further analysis may deem malicious, Long said.

Get up to speed on key trends and understand the landscape with The State of Software Supply Chain Security 2024. Plus: Learn about ReversingLabs Spectra Assure for software supply chain security.

More Blog Posts

    Special Reports

    Latest Blog Posts

    The State of Software Supply Chain Security 2024 The State of Software Supply Chain Security 2024

    Conversations About Threat Hunting and Software Supply Chain Security

    Reproducible Builds: Graduate Your Software Supply Chain Security Reproducible Builds: Graduate Your Software Supply Chain Security

    Glassboard conversations with ReversingLabs Field CISO Matt Rose

    Software Package Deconstruction: Video Conferencing Software Software Package Deconstruction: Video Conferencing Software

    Analyzing Risks To Your Software Supply Chain