In the 9th Annual State of the Software Supply Chain Report, as of September 2023 security experts at Sonatype had caught over 245,000 malicious software supply chain attacks which is twice as many as were found in all previous years combined.
The report also highlighted that, in 2023, 96% of open-source downloads with known vulnerabilities could have been avoided because a fixed version was available. For example, despite a fix being released almost 2 years ago, 23% of Log4j downloads are still of the critically vulnerable versions.
67% of respondents to a Sonatype poll said they were confident their applications do not rely on known vulnerable libraries, but almost 10% also claimed they had experienced security breaches due to open-source vulnerabilities in the past year.
“Our industry needs to direct its efforts towards the right place. The fact that there’s been a fix for almost all downloads of components with a known vulnerability tells us an immediate focus should be supporting developers to become better decision-makers, and giving them access to the right tools,” said Brian Fox, CTO at Sonatype.
Dave Ratner, CEO, HYAS had this comment:
“Developers need to become better decision makers, but the best resiliency and security hygiene will come from pairing these approaches with solutions that can detect the telltale signs of infection, such as Protective DNS solutions. By seeing the beaconing activity to command-and-control, they provide a security-in-depth strategy for resiliency and serve as the early-warning sign that something anomalous has snuck into the stack and needs to be addressed.”
There need to be improvements when it comes to how vulnerabilities are dealt with. Otherwise we’ll be trapped in this mess.
UPDATE: Craig Harber, Security Evangelist, Open Systems had this comment:
“From my perspective the findings in this report are not surprising, but frankly, they are extremely frustrating. The lack of mature vulnerability management and patch management processes have been the Achilles heel of most agencies and organizations for as long as I can remember. Real leadership is needed to bring forward a change. And it’s got to be more than drafting regulations and guidance. Investments are needed in automation and AI-driven decision support tools to enable IT teams to do their jobs effectively. System owners and stakeholders need to be held accountable if they fail to provide the IT teams the necessary direction and tools to be successful.”
Dave Ratner, CEO, HYAS follows with this:
“Developers need to become better decision makers, but the best resiliency and security hygiene will come from pairing these approaches with solutions that can detect the telltale signs of infection, such as Protective DNS solutions. By seeing the beaconing activity to command-and-control, they provide a security-in-depth strategy for resiliency and serve as the early-warning sign that something anomalous has snuck into the stack and needs to be addressed.”
Like this:
Like Loading...
Related
This entry was posted on October 4, 2023 at 3:38 pm and is filed under Commentary with tags Sonatype. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Supply chain attacks triple while known vulnerabilities are downloaded
In the 9th Annual State of the Software Supply Chain Report, as of September 2023 security experts at Sonatype had caught over 245,000 malicious software supply chain attacks which is twice as many as were found in all previous years combined.
The report also highlighted that, in 2023, 96% of open-source downloads with known vulnerabilities could have been avoided because a fixed version was available. For example, despite a fix being released almost 2 years ago, 23% of Log4j downloads are still of the critically vulnerable versions.
67% of respondents to a Sonatype poll said they were confident their applications do not rely on known vulnerable libraries, but almost 10% also claimed they had experienced security breaches due to open-source vulnerabilities in the past year.
“Our industry needs to direct its efforts towards the right place. The fact that there’s been a fix for almost all downloads of components with a known vulnerability tells us an immediate focus should be supporting developers to become better decision-makers, and giving them access to the right tools,” said Brian Fox, CTO at Sonatype.
Dave Ratner, CEO, HYAS had this comment:
“Developers need to become better decision makers, but the best resiliency and security hygiene will come from pairing these approaches with solutions that can detect the telltale signs of infection, such as Protective DNS solutions. By seeing the beaconing activity to command-and-control, they provide a security-in-depth strategy for resiliency and serve as the early-warning sign that something anomalous has snuck into the stack and needs to be addressed.”
There need to be improvements when it comes to how vulnerabilities are dealt with. Otherwise we’ll be trapped in this mess.
UPDATE: Craig Harber, Security Evangelist, Open Systems had this comment:
“From my perspective the findings in this report are not surprising, but frankly, they are extremely frustrating. The lack of mature vulnerability management and patch management processes have been the Achilles heel of most agencies and organizations for as long as I can remember. Real leadership is needed to bring forward a change. And it’s got to be more than drafting regulations and guidance. Investments are needed in automation and AI-driven decision support tools to enable IT teams to do their jobs effectively. System owners and stakeholders need to be held accountable if they fail to provide the IT teams the necessary direction and tools to be successful.”
Dave Ratner, CEO, HYAS follows with this:
“Developers need to become better decision makers, but the best resiliency and security hygiene will come from pairing these approaches with solutions that can detect the telltale signs of infection, such as Protective DNS solutions. By seeing the beaconing activity to command-and-control, they provide a security-in-depth strategy for resiliency and serve as the early-warning sign that something anomalous has snuck into the stack and needs to be addressed.”
Share this:
Like this:
Related
This entry was posted on October 4, 2023 at 3:38 pm and is filed under Commentary with tags Sonatype. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.