start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
Close
Select Page

Software supply chain security continues to be a major concern for businesses. A new report, "OSC&R In the Wild: A New Look at the Most Common Software Supply Chain Exposures," sheds light on the challenges and vulnerabilities many organizations face. With 91% of organizations experiencing a supply chain security incident in 2023, the need for stronger defenses is more urgent than ever. The report highlights the OSC&R (Open Software Supply Chain Attack Reference) framework as a critical tool for understanding and mitigating the risks within the software supply chain.

Researchers collected over one hundred million software supply chain security alerts from thousands of applications and repositories. By analyzing this data through the lens of the OSC&R framework, the report provides a detailed view of how attackers target various stages of the software development lifecycle. This information is essential for AppSec, DevOps, and Product Security teams to prioritize vulnerabilities and strengthen their defenses against real-world threats.

Alert Overload

One of the key takeaways from the report is the overwhelming volume of alerts security teams face, with an average organization managing over 119,000 alerts from their applications. This "alert overload" makes it difficult to focus on the most critical vulnerabilities, leaving many serious risks unresolved. Even after applying automated analysis to reduce noise, organizations still face around 660 high-priority issues, illustrating the scale of the challenge.

The report also underscores the persistence of vulnerabilities in widely known attack stages like Initial Access, Execution, and Persistence. These stages, which represent critical points in the attack chain, are where organizations are most vulnerable. The findings show that despite advancements in security tools and practices, many companies remain exposed to age-old vulnerabilities like command injection and cross-site scripting, which continue to provide easy entry points for attackers.

Multi-stage Exposures

What’s especially concerning is the number of applications that contain vulnerabilities across multiple stages of the kill chain. This "multi-stage exposure" creates fertile ground for attackers, amplifying the damage a single vulnerability can cause. In particular, weaknesses in Initial Access often lead to further risks in the Execution or Persistence stages, where attackers can execute malicious code or maintain a long-term presence in the system.

While the report highlights the challenges, it also provides hope in the form of better technology and processes. By integrating the OSC&R framework with advanced tools for Application Security Posture Management (ASPM) and Application Detection and Response (ADR), organizations can better identify and respond to threats in real time. This proactive approach, combined with continuous improvement and collaboration, is key to staying ahead of attackers.

For businesses looking to strengthen their software supply chain security, this report is a crucial resource. It not only reveals the most common threats, but also provides actionable insights to improve defenses and reduce exposure. For a closer look at the findings and to learn more about the OSC&R framework, check out the full report [here].

Comment wrap

Start a Conversation with Us

We’re here to help you find the right solutions and support you in achieving your business goals.

  |  November 27, 2024
The Hidden Cost of Security Fixes for Software Developers
Developers spend up to 19% of their time on security tasks, costing companies $28K per developer annually. Learn how to reduce this burden and improve your application security posture with HCL AppScan.
  |  November 8, 2024
Protecting Software Supply Chains with SBOM & PBOM
Learn how SBOM and PBOM are transforming software supply chain security. Explore how these tools help organizations identify vulnerabilities, ensure compliance and mitigate risk from cyberattacks targeting third-party vendors and open-source components.
  |  October 23, 2024
New Licensing Changes & MHS Launch in HCL AppScan Version 10.7.0
Learn about HCL AppScan Version 10.7.0 licensing changes, including the new My HCLSoftware portal for seamless license management and compliance.