Software supply chain attacks show no sign of slowing and can have devastating consequences. These attacks can expose organizations and their customers to greater risk when an attack on a third party’s software supply chain unknowingly compromises their systems.
Many proprietary software applications are built on third-party code and open-source software to keep up with rapid innovation. While this is highly beneficial, it also introduces additional risks, increasing the need for new methods to quickly identify erroneous code that can be exploited, as well as malicious code.
According to the 2021 Open Source Security and Risk Analysis report (registration required), 84% of codebases audited included one or more open-source vulnerabilities, 60% had high-risk vulnerabilities and 65% contained open-source software with license conflicts.
Recent incidents, such as the attacks involving SolarWinds and Kaseya, demonstrate the potential impacts of malicious code, while Log4j serves as an example of the ramifications of incorrect code. The hack involving SolarWinds was partially due to software being compromised by malicious code, infecting a product that was then distributed to customers.
Log4j is a piece of software that is found within systems that power a wide range of products and applications. Because of faulty code, it contains a vulnerability that bad actors can leverage to take over computer servers and cause widespread damage.
The effects of these types of cyberattacks and coding flaws can extend beyond the primary user’s system—often into their third parties’ systems and beyond—making the impact exponentially worse.