Software supply chains are becoming a worrying weak link for firms of all sizes

Open Source
Image credit: Shutterstock/ Imilian (Image credit: Shutterstock)

All companies that use open source code in their software are at risk of supply-chain attacks, regardless of their size or industry they’re in, new research has warned.

A report from cybersecurity experts Checkmarx claims despite the grim outlook, things are looking up for application security (AppSec) leaders.

To draft its 2024 State of Software Supply Chain Security report, Checkmarx surveyed 900 AppSec professionals in the US, Europe, and Asia-Pacific - but all of them - 100% - claimed to have experienced a software supply chain attack at some time in the past.

Understanding new risks

While this definitely isn’t good news, the trend in the last two years shows promise. While almost two-thirds (63%) reported falling victim within the past two years, less than a fifth (18%) suffered such an attack within the past year. 

The news is worrisome, and AppSec pros are aware of it. Three-quarters (75%) said they were either very concerned (39%) or concerned (36%) about the risks. However, they’re not sitting idly. While in more than half (56%), organizational applications contain open-source packages, 57% said software supply chain security was a “top”, or “significant” area of focus. 

More than half (54%) are planning to use, or are currently investigating, a potential solution, while 50% are requesting software bills of materials from their vendors. 

For Amit Daniel, Chief Marketing Officer at Checkmarx, it’s critical for CISOs and security leaders to make it easier for developers to understand the new risks and secure their entire software supply chain.

“‘Malicious’ is much more than vulnerable. We have seen more attacks on the open source ecosystem in the last two years than ever before with over 385,000 malicious packages detected to date by our own Checkmarx security research team” Daniel said. “Software supply chain security has become an active target of government regulatory and cybersecurity agencies and is top of mind for over half of global enterprises we surveyed.”

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Security
Removing software supply chain blind spots that put public sector organizations at risk
Holographic representation of cloud computing over open businessman's hand
Businesses are struggling to address vulnerabilities hidden in phantom dependencies
Closing the cybersecurity skills gap
The critical need for watertight security across the IT supply chain
API
Businesses are being plagued by API security risks - with nearly 99% affected
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Hardware supply chain threats can undermine your endpoint infrastructure
Representational image of a hacker
The 10 worst software disasters of 2024: cyberattacks, malicious AI, and silent threats
Latest in Security
NHS
NHS IT supplier hit with major fine following ransomware attack
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Latest in News
Screenshot from action RPG soulslike Lies of P
Lies of P Overture won't elaborate on the game's eyebrow-raising post-credits twist, and I think that's good news
Nintendo Switch 2
The Switch 2 launching with a Mario Kart game 'is very unlike Nintendo' compared to the original Switch releasing with Breath of the Wild, says former marketing leads: 'That's what's gonna make you want to buy the new hardware'
Waze voice control
Waze is ditching Google Assistant for Gemini on iOS, and for good reasons
Apple Watch Ultra 2 displaying a step count and distance
Using a smartwatch could be a game-changer for people with diabetes, new research suggests
Focal Bathys MG
Focal just upgraded its audiophile noise-cancelling wireless headphones with even better sound, better noise cancelling, and a way higher price
A PC gamer celebrating, sat in a gaming chair in front of a monitor
Windows 11’s Game Bar gets a fresh coat of paint, plus a tweak to work better on handhelds – and I like the direction Microsoft’s heading in here