Verizon DBIR 2024: The rise in software supply chain attacks explained

The Verizon Data Breach Investigations Report (DBIR) is considered to be one of the leading annual reports on the state of cybersecurity. The report, which analyzes thousands of data breaches from the previous year, breaks down these incidents by their attack vector. In this year’s report, breaches caused by third-party software use increased dramatically – highlighting the growing risk from software supply chain compromises.

To better understand this increase in software supply chain-derived attacks — and gain more insights into the report – Philippe Langlois, co-author of the Verizon DBIR, joined RL for a live discussion with Ashlee Benge, Director of Threat Intelligence at RL, and Dan Petrillo, VP of Product Marketing at RL.

Here are the highlights from the Webinar, including Langlois’s thoughts on the threats posed by third-party software — and what security leaders need to pay attention to when bolstering their software supply chain security.

See the Webinar: 2024 DBIR & Software Supply Chain Risk: A Conversation With Verizon

DBIR 2024: Software supply chain attacks are increasing

The 2024 DBIR found that breaches stemming from third-party software development organizations played a role in 15% of the more than 10,000 data breaches Verizon documented, a 68% jump from last year’s report. The increase prompted Verizon to note that organizations should “start looking at ways of making better choices” about which third party software providers they work with, “so as to not reward the weakest links in the chain.”

Langois posed important questions about the shared responsibility needed to defend against such third-party breaches in the Webinar, including:

How much of the risk does the organization own? And how much of the risk is placed on these third parties?

Verizon is not the only group putting a spotlight on software supply chain security. Initiatives such as U.S. Cybersecurity & Infrastructure Security Agency (CISA)'s Secure by Design initiative and related pledge, and the U.K.'s Code of Practice for Software Vendors, are encouraging software producers to take responsibility for the security of their code.

In addition to the rise in risk from supply chain compromises, Langois cited the difficulties in remediating vulnerabilities – a key facet of software supply chain security. Exploited vulnerabilities nearly tripled (180% growth) this past year, especially through web applications. Langois dubbed the effort to patch vulnerabilities “an unsustainable race” between defenders and threat actors. The reality check: Threat actors normally win out as it only takes them five days to scan for vulnerabilities to exploit. Meanwhile, the DBIR found that 85% of vulnerabilities are not patched after 30 days, and 50% are not patched after 55 days.

Mentioning the race between defenders and threat actors, RL's Benge noted that there are an infinite amount of chances for bad actors to exploit software, in addition to an infinite amount of chances for security professionals to overlook these risks:

As defenders, we have to be correct 100% of the time and attackers only have to be successful once. That really ups the stakes here.

How security teams can get ahead of threat actors

RL's Petrillo said while cybersecurity has traditionally been reactive, security leaders can best aim their efforts to shore up software supply chain security by becoming more proactive. Without the shift, security teams will remain in the dark, he noted:

I think right now, commercial software and updates remain a black box.

One way security teams can be proactive about these threats is by seeking transparency and comprehensive analysis of the third party software they use. Petrillo cited Software Bills of Materials (SBOMs) as being an important first step towards this goal, but made it known that organizations should also seek out a mature security tool that can actually analyze a software product’s components. After all, he noted in the conversation that “a list of ingredients doesn’t have inherent value.” Rather, he believes that for security teams to have a proactive stance they “have to understand what those ingredients mean to [them] and [their] business.”

Watch their full conversation now

Interested in learning more about the Verizon DBIR? Get key takeaways — and what it means for software supply chain security — in our Webinar, now available on demand.