Software supply chains are soft targets for attackers looking to capitalize on the lack of transparency, visibility and security of open-source libraries they use for embedding malicious code for wide distribution. Additionally, when companies don’t know where code libraries or packages being used in their software originate from, it creates greater security and compliance risks.

The latest Synopsys Open Source Security and Risk Analysis Report found that 97% of commercial code contains open-source code, and 81% contains at least one vulnerability. Additionally, 53% of the codebases analyzed had licensing conflicts, and 85% were at least four years out of date.

It’s common for development teams to use libraries and packages found on GitHub and other code repositories. Software bills of materials (SBOMs) are needed to keep track of each open-source software (OSS) and library used during the devops process, including when it enters the software development life cycle (SDLC).
Securing software supply chains

Software development leaders need to take action and integrate SBOMs throughout their SDLC and workflows to avert the risk of Log4j and comparable infected OSS components corrupting their code and infecting their customers’ systems. Software composition analysis (SCA) and the SBOMs they create provide devops teams with the tools they need to track where open-source components are being used. One of the critical goals of adopting SBOMs is to create and keep inventories current on where and how each open-source component is being used.