RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research
2026-06-18_Forrester & RL Upcoming Webinar

Forrester Names RL in Agentic Development Security Market

The new landscape report maps 35 vendors addressing an emerging category of risk: AI agents writing insecure code at machine speed.

Read More about Forrester Names RL in Agentic Development Security Market
Forrester Names RL in Agentic Development Security Market

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

ReversingLabs: The More Powerful, Cost-Effective Alternative to VirusTotalSee Why
Skip to main content
Contact UsSupportBlogCommunity
reversinglabsReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
Events
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu
AppSec & Supply Chain SecurityMay 24, 2023

Practitioners reveal growing concerns about software security

In a recent survey, 300 IT and software pros were asked about the state of software supply chain security. Here are takeaways from a webinar discussion.

smiling woman with glasses
Carolynn van Arsdale, Writer, ReversingLabs.Carolynn van Arsdale
FacebookFacebookXX / TwitterLinkedInLinkedInblueskyBlueskyEmail Us
Practitioners reveal growing concerns about software security

Dimensional Research recently polled more than 300 technology professionals in the United States and Europe on the state of software supply chain security. The survey, sponsored by ReversingLabs, revealed growing alarm from teams charged with securing software across its lifecycle.

To reflect on and gain feedback from others in the industry, ReversingLabs' Paul Roberts and Matt Stephenson recently hosted a webinar to discuss the survey’s results — and to compare them to what attendees are seeing on their own security teams.

Here are key takeaways from the webinar discussion about the ReversingLabs Software Supply Chain Risk Survey.

Watch the webinar: Security Pros Reveal Top 7 Software Supply Chain Security ConcernseBook: Why Traditional App Sec Testing Fails on Supply Chain Security

Extra, extra! Headlines matter

As is the case with application security and cybersecurity generally, threats to software supply chains advance at the speed of technological innovation, with bad actors becoming early adopters of new tools and technologies. On the question of supply chain risk, when Dimensional Research polled respondents on which software issues pose the biggest risk to their companies, the vast majority (82%) cited software that contains vulnerabilities. That reflects a longstanding focus on vulnerability management, which has been a standard app sec practice for the past two decades.

However, times are changing, and threat actors’ advancements and attacks have made headlines, creating an even greater awareness in the industry that threats extend beyond vulnerabilities. In the past six months, several major software supply chain security incidents have been reported, such as the software supply chain attack on CircleCI, which was the result of a secrets exposure, as well as the attack on 3CX, which was an example of highly targeted tampering.

The CircleCI and 3CX incidents, which happened after the survey was taken, garnered a lot of recent attention, but 2022 was an eye-opener for many, as noted in our special report The State of Software Supply Security 2022-23. In the webinar, attendees were asked to say which issues posed the biggest risk to their software supply chains. Concerns about the risks of software vulnerabilities were evenly distributed along with issues such as software tampering, secrets exposures, and malicious code — a likely reflection of the CircleCI and 3CX headlines.

Lack of trust in the software supply chain is pervasive

In addition to the industry becoming more aware of the various threats to software supply chains, security teams are increasingly wary of software sources that are targeted by threat actors. In Dimensional Research’s polling of professionals, the majority of respondents (70%) cited open-source software as a source of software security issues. This reflects the steep increase in attacks on open-source repositories in recent years. In ReversingLabs' analysis of the National Vulnerability Database (NVD), for example, researchers discovered that attacks on two popular repositories, PyPI and npm, increased by almost 300% over the last four years.

For many security practitioners, that figure put a spotlight on an equally vulnerable building block of software, third-party suppliers. Most webinar participants found third-party software to be a greater source of software security threats than open-source software.

During the webinar, Stephenson pointed out that this increased attention to third-party software risk speaks to a lack of trust in these services, which are fundamental to software supply chains. It would make sense that this increase in attention could be attributed to the supply chain attack on 3CX, which impacted customers reliant on the company’s 3CXDesktopApp.

Open-source software remains a significant source of risk

There was also strong agreement among both the survey respondents and the attendees of the webinar about which software sources yield security issues for organizations. As with the survey respondents, 70% of webinar attendees cited open-source software as a primary source of software issues in their software supply chains.

This merely reflects reality. ReversingLabs’ own research speaks to the sheer number of these attacks. From grand-scale operations such as the IconBurst attack, which was a widespread campaign to spread malicious data harvesting packages on npm, to stealthier incidents, such as attackers pushing malware on PyPI via legitimate open-source modules, ReversingLabs threat researchers have uncovered a number of incidents that display an array of techniques attackers use to take advantage of open-source repositories.

Maturity matters: The evolution of app sec

The ReversingLabs Software Supply Chain Risk Survey clearly indicates that the industry is moving in the right direction on software supply chain security. Identifying security teams' fears — and the risks and key factors that contribute to software supply chain attacks — is essential for the industry’s progress.

But software teams are facing growing supply chain complexity and threats. ReversingLabs Field CISO Matt Rose wrote as part of our Evolution of App Sec special report that threat actors aren't limited to compromising software repositories when attacking a software supply chain — and neither should defenders limit themselves to legacy app sec testing tools when protecting the software supply chain.

What’s needed next is action on how teams can mature their software supply chain security programs. This means making teams fully aware of the threats to look out for as well as supplying them with the modern tooling that best handles advanced threats.

Rose said a modern software supply chain security platform needs to protect both infrastructure and applications — and shift the emphasis from vulnerabilities to malware. Binary analysis allows deeper visibility for teams to ensure their software is secure by focusing on how code behaves, regardless of where it came from.

Software supply chain security needs to be recognized for what it has become: a separate discipline within the application security ecosystem.

Matt Rose

Watch the Webinar: Security Pros Reveal Top 7 Software Supply Chain Security ConcernseBook: Why Traditional App Sec Testing Fails on Supply Chain Security

Keep learning

  • Get up to speed on the Agentic Development Security tools landscape in this June 18 webinar with Forrester Sr. Analyst Janet Worthington.
  • Learn why binary analysis is a must-have control in the Gartner® CISO Playbook for Commercial Software Supply Chain Security.
  • Take a deep dive on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar discussing the findings.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security

More Blog Posts

Shai-hulud worm DevOps

npm v12 blocks install scripts: What it means for software security

By disabling install scripts by default, it closes the vector worms like Shai-Hulud rely on. Here's what the update fixes — and what it doesn't.

Learn More about npm v12 blocks install scripts: What it means for software security
npm v12 blocks install scripts: What it means for software security
MCP is the new API

MCP security tracks API's playbook — we know how that ends

The standard connecting AI agents to tools and data leaves security to others. Make it a do-over.

Learn More about MCP security tracks API's playbook — we know how that ends
MCP security tracks API's playbook — we know how that ends
CVE Lite CLI

Dependency remediation bolstered with CVE Lite CLI

OWASP's new dependency scanner gives developers actionable fixes. But supply chain attacks aren’t yet CVEs.

Learn More about Dependency remediation bolstered with CVE Lite CLI
Dependency remediation bolstered with CVE Lite CLI
Out front in race

Get ahead of frontier AI: 5 AppSec strategy upgrades

Frontier AI is collapsing the time from vulnerability discovery to exploit. Here are 5 ways to update your AppSec before it hits.

Learn More about Get ahead of frontier AI: 5 AppSec strategy upgrades
Get ahead of frontier AI: 5 AppSec strategy upgrades

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top