Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free TrialBusiness losses caused by attacks on software supply chains could exceed $80.6 billion by 2026, a 76% increase over estimated 2023 losses of $45.8 billion, a recent study by market researcher Juniper Research has found.
The 32-page report, titled "Vulnerable Software Supply Chains Are a Multi-Billion Dollar Problem," attributes the rapid rise in losses to two primary causes: increasing risks caused by the absence of security processes from software supply chains, and the rising complexity of software supply chains overall.
Adversaries are realizing that confusion is prevalent in software development, said ReversingLabs Field CISO Matt Rose, especially with the speed of releasing software and the siloing of responsibilities and activities associated with cloud-native development. "So the cost of recovering from a software supply chain breach is going to be astronomical unless addressed early," he said.
Matt RoseWith a software supply chain attack, instead of hacking a million people, a threat actor can hack one thing that infects a million people. Then the software company has to pay damages and suffers reputation loss.
Here's a full rundown on the Juniper Research report, with analysis of the key problems that need to be addressed to minimize risk — and cost.
Get White Paper: Assess & Manage Commercial Software RiskPlus: See the Webinar
The report said that many businesses and industries lack sufficient cybersecurity resources to adequately harden their software supply chains — in many cases due to inadequate access to effective cybersecurity training or a failure to recognize the value of the data they work with or process.
Without a paradigm shift in the cybersecurity management of software supply chains, losses will continue to mount from cyberattacks, Rose said.
He said the shift needed should include focusing more on malware compromises to software supply chains. So much time and resources are being spent on looking for OWASP Top 10 vulnerabilities, pre-compiled state vulnerabilities, running state vulnerabilities, and API vulnerabilities, Rose said, that software engineers haven't caught on to the concept of an application containing malware.
Matt RoseSoftware supply chain risk is about malware. It's about getting malware into a piece of software or application in a way that's unknown or unanticipated. People have to stop just thinking about vulnerabilities and start thinking about risk and how to identify it early and respond to it quickly.
The Juniper report pointed to digital transformation as one of the leading contributors to cybersecurity risk for the software supply chain. Digitizing elements of the supply chain means it is increasingly vulnerable to disruption from cyberattack.
In addition, the introduction of digital elements to both product delivery and the traditional supply chain means that areas not usually considered part of the supply chain now need to be assessed when companies are looking to secure their sources of products and services.
What's needed is a comprehensive strategy that leverages a wide range of products, solutions, and regulatory compliance strategies to ensure the security and resilience of the industrial supply chain, the Juniper report said. Organizations need to think beyond the supply and movement of goods, to the supply of systems used to monitor and coordinate goods and services, including hardware and software systems that are used in the provision of a service.
They also need to include software updates and other services after a product's sale, as well as the software itself when it's used as a component in the delivery of finished goods — just as with connected devices.
The report author, Juniper Head of Research Nick Maynard, said in a statement that the two supply chain issues were interconnected and a multiplier of risk.
Nick MaynardThe software supply chain has been neglected over the years as a source of risk, leading to a situation where organizations face significant issues, if they cannot change the way they operate. As software supply chains become more complex, the problem becomes exponentially more complicated, requiring immediate attention to resolve, through regulations, SBOMs [software bills of materials], embedded security, and cybersecurity solutions.
The report lays out several priorities for securing the software supply chain:
The growth in software supply chain risk identified in the Juniper report was affirmed in a survey released by Capterra, an online marketplace vendor owned by Gartner. That survey of 271 IT security pros conducted in April found that 61% of businesses have been affected by a supply chain threat in the last 12 months.
Capterra analyst Zack Capers wrote:
And if your company is one of the lucky 39% that made it through the last year unscathed, it’s likely luck more than anything. That’s because the vulnerabilities wrought by software supply chain vulnerabilities are difficult to defend against.
Capterra's survey also found that:
Capers noted that open-source software is one of the many reasons for the rising demand among companies and government agencies for vendors to supply SBOMs to them. The survey found that nearly half of businesses (49%) say they're requesting SBOMs from vendors as part of their defense strategy against software supply chain threats.
The software supply chain is a mission-critical entity that affects all organizations that rely on technology to carry out their day-to-day operations, the Juniper report explained.
It is important for all stakeholders to consider how to best approach the security of their software supply chains. This requires closely examining their current approach, knowing which software and suppliers are involved, and ensuring that appropriate and necessary security mitigations are applied, the report added.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free Trial