Flaws in open source are contributing to a sharp rise in reports to the National Vulnerability Database in 2022. But emerging software supply chain attacks warrant a re-think of the NVD—and your software security approach—to go beyond common software vulnerabilities.
Seen in the context of rising tide of software supply chain attacks, the growth in reports to the NVD suggest that the focus of malicious actors is shifting. And yet, the NVD is still dominated by flaws in a handful of legacy platforms by firms including MIcrosoft, Red Hat, Google, Apple and Oracle.
The NVD is a critical resource for both software development and security organizations. To remain relevant, however, the scope of NVD needs to expand to capture the full breadth of vulnerable platforms and applications, as well as the diversity of security exposures (the “E” in CVE)—including malware injections, software tampering and secrets exposure, which threaten supply chain integrity.
Key report takeaways:
• Attackers are shifting their efforts from apps to software components
• The NVD is not keeping pace with supply chain risk
• Trust is key. Focus on what code does—not just where it comes from
Download the free report today. Plus: See the report's infographic and related story, 6 reasons app sec teams should go beyond legacy vulnerabilities.