Tech giants are grappling with growing software supply chain risk, a JFrog report reveals

The software supply chain has become a critical area of ​​concern for enterprises as they navigate an increasingly complex and interconnected digital landscape. A recent report from JFrog, a leading provider of software supply chain management solutions, sheds light on the growing challenges and risks organizations face in securing their software ecosystems.

The “Software Supply Chain State of the Union 2024” report, released last week, reveals that the modern software supply chain is multi-technology, multi-source and multinational, with a significant portion of organizations using more than 10 programming languages. “Roughly half of organizations (53%) use 4-9 programming languages, while a significant 31% use more than 10 languages,” the report said.

This complexity has led to an explosion of open source packages and libraries available for use in building applications. “Docker and npm contributed the most to package types. PyPI’s contribution also increased, likely driven by AI/ML use cases,” the report said. However, this abundance also presents a world of potential risk for organizations.

In 2023 alone, security researchers globally discovered more than 26,000 new CVEs (Common Vulnerabilities and Exposures), continuing the trend of increasing the number of vulnerabilities year after year. The report points out that “the most common types of vulnerabilities in 2023 were Cross-site Scripting, SQL Injection and Out-of-bound Write. Claim falsification between sites has also become more widespread.”

Misleading vulnerability ratings mask real risk

Shachar Menashe, senior director at JFrog Security Research, emphasized the flawed nature of CVSS (Common Vulnerability Scoring System) scores when it comes to real-world exploits. “By design, CVSS scores do not have a ‘context-dependent’ attack vector, even though all library vulnerabilities are context-dependent by definition,” Menashe explained in an interview with VentureBeat. “This means that a vulnerability that can be exploited by default gets the same score as a vulnerability that can only be exploited in an extremely rare software configuration.”

The report also reveals that “74% of CVEs with high and critical CVSS scores on the top 100 DockerHub community images are actually not exploitable.” This highlights the importance of looking beyond the surface-level vulnerability score and assessing the actual risk based on the organization’s specific context and software configuration.

Hidden risks lurk in software supply chains

The report also highlights the hidden risks lurking in software supply chains, with human error and exposed secrets accounting for a significant portion of potential vulnerabilities. “Human error and exposed secrets account for a significant portion of the potential risk in your software supply chain,” the report said.

Menashe elaborated on this point, saying, “There are unique advantages to scanning at the binary level (builds vs. source code) because then you’re scanning and verifying what will actually run in production, and there are certain exposures that only appear after the code is compiled, especially the leaked secrets – which are not present in the source code but are then ‘pinned’ to the final image by the CI/CD pipeline.”

Disjointed security approaches cost valuable time and resources

Despite growing awareness of risks in the software supply chain, organizations still struggle with disjointed security approaches that cost development teams valuable time and resources. The report found that “60% of experts say their team typically spends 4 days or more fixing application vulnerabilities in a given month.”

Menashe advises companies to prioritize vulnerabilities more effectively by investing in security solutions that contextualize scan results. “Merely indicating that CVEs are present in a scanned image or version is no longer sufficient. Contextual scanning can be done statically or dynamically (runtime solutions), but ignoring context leads to ~75% false positives (conservative estimate), as we showed in last year’s and this year’s reports,” he said.

The report also highlights the growing number of application security tools as a potential problem for businesses. “The number of security offerings on the market is exploding, and there are several significant challenges for organizations with adopting so many security tools. Too many point solutions can cause coverage gaps, competing results, and alert fatigue—making development workflows difficult,” explained Menashe.

AI and machine learning bring new challenges

The influx of artificial intelligence (AI) and machine learning (ML) in software development has also brought new challenges to the fore. While “94% say their organization implements measures to review the security and compliance of open source machine learning models,” according to the report, “nearly 1 in 5 say their organization does not allow AI/ML to help create code due to security and compliance concerns.”

Looking ahead, Menashe predicts that the use of artificial intelligence for coding will continue to grow, but warns of security risks that could arise. “We expect the number of companies using code developed by GenAI to continue to grow at an alarming rate given its obvious impact on developer productivity. However, it is important that all developers and companies know that implementing such practices can have a huge impact on security and compliance because GenAI cannot produce secure code despite such claims in their documentation,” he warned.

Menashe also highlighted a potential threat for 2024, saying, “One thing CISOs need to watch out for in 2024 is that attackers are increasingly taking advantage of the fact that AI will sometimes create libraries that don’t exist. Bad actors will request the Chat GPT tools with developer queries to see if the AI ​​generated code includes the fictional library. Attackers will then create these libraries to appear legitimate. When a developer copies and pastes code, they unwittingly point to a malicious package.”

Key recommendations for securing software supply chains

As organizations navigate the ever-evolving software supply chain landscape, the JFrog report serves as a wake-up call to prioritize security and adopt a comprehensive approach to software vulnerability management.

Menashe offers several key recommendations for IT leaders looking to better secure their software supply chains:

1. “Organizations should prevent developers from downloading OSS packages directly from the Internet and instead use an artifact management solution as a proxy for public registries. This enables organizations to inspect and secure artifacts coming into their organization and proactively block malicious and unwanted packages before they reach the development environment.”
2. “They should manage all the inputs (ie, third-party packages and open source packages) and outputs (builds) that make up a software release in a single system that has seamless end-to-end application security built in. This ensures consistent application of security policies across teams and workflows, and gives DevOps and security teams a common pane of glass from which to operate.”
3. “Organizations should adopt anti-tampering approaches, such as code signing, to ensure that nothing has been changed about a potential release as it matures. By signing potential releases and promoting them—not rebuilding—in different environments as a piece of software matures, you can ensure that the software you release contains the safe, quality components you intended when it was originally compiled.”

By leveraging contextual scanning, consolidating security solutions, and proactively addressing risks associated with AI-generated code, enterprises can strengthen their software supply chains and protect themselves from the hidden dangers lurking in their software ecosystems.

The JFrog report serves as a timely reminder that with the ever-expanding attack surface, vigilance and a comprehensive approach to software supply chain security are more critical than ever.