Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.
The software supply chain has become a critical area of concern for enterprises as they navigate an increasingly complex and interconnected digital landscape. A recent report from JFrog, a leading provider of software supply chain management solutions, sheds light on the growing challenges and risks organizations face in securing their software ecosystems.
The “Software Supply Chain State of the Union 2024” report, released last week, reveals that the modern software supply chain is multi-tech, multi-sourced, and multinational, with a significant portion of organizations using more than 10 programming languages. “About half of organizations (53%) utilize 4-9 programming languages, while a substantial 31% use more than 10 languages,” the report states.
This complexity has led to an explosion of open-source packages and libraries available for use when creating applications. “Docker and npm were the most-contributed to package types. PyPI contribution also increased, likely driven by AI/ML use cases,” according to the report. However, this abundance also introduces a world of potential risk for organizations.
In 2023 alone, security researchers globally disclosed over 26,000 new CVEs (Common Vulnerabilities and Exposures), continuing the trend of year-over-year growth in the number of vulnerabilities. The report highlights that “the most common types of vulnerabilities in 2023 were Cross-site Scripting, SQL Injection, and Out-of-bounds Write. Cross-Site Request Forgery also became more prevalent.”
Misleading vulnerability scores mask true risk
Shachar Menashe, Sr. Director at JFrog Security Research, emphasized the misleading nature of CVSS (Common Vulnerability Scoring System) scores when it comes to real-world exploitability. “By design, CVSS scores do not have a ‘context-dependent’ attack vector, even though all library vulnerabilities are by definition context-dependent,” Menashe explained in an interview with VentureBeat. “This means that a vulnerability that is exploitable by default is given the same score as a vulnerability that is only exploitable in an extremely rare software configuration.”
The report also reveals that “74% of the CVEs with High and Critical CVSS scores on the top 100 DockerHub community images aren’t actually exploitable.” This underscores the importance of looking beyond surface-level vulnerability scores and assessing the true risk based on the specific context and configuration of an organization’s software.
Hidden risks lurk in software supply chains
The report also highlights the hidden risks lurking in software supply chains, with human error and exposed secrets accounting for a notable portion of potential vulnerabilities. “Human error and exposed secrets account for a notable portion of the potential risk in your software supply chain,” the report states.
Menashe elaborated on this point, stating, “There are unique benefits to scanning at the binary level (builds vs. source code) as that is when you’re scanning and validating what is actually going to be running in production and there are certain exposures that only present themselves once code has been compiled, especially leaked secrets – which aren’t present in the source code but then get ‘tacked on’ to the final image by the CI/CD pipeline.”
Disjointed security approaches cost valuable time and resources
Despite the growing awareness of software supply chain risks, organizations are still grappling with disjointed security approaches that are costing development teams valuable time and resources. The report found that “60% of professionals say their team typically spends 4 days or more remediating application vulnerabilities in a given month.”
Menashe advises companies to prioritize vulnerabilities more effectively by investing in security solutions that contextualize scanning results. “Just flagging that CVEs are present in the scanned image or build isn’t enough anymore. The contextual scanning can either be done statically or dynamically (runtime solutions), but ignoring the context leads to ~75% of false positives (conservative estimate), as we’ve shown both in last year’s and this year’s reports,” he said.
The report also highlights the growing number of application security tools as a potential problem for companies. “The number of security offerings in the market is exploding, and for organizations, there are a few significant challenges with adopting so many security tools. Too many point solutions can cause gaps in coverage, competing results, and alert fatigue — which bog down development workflows,” Menashe explained.
AI and machine learning bring new challenges
The influx of artificial intelligence (AI) and machine learning (ML) in software development has also brought new challenges to the forefront. While “94% say their organization applies measures to review the security and compliance of open-source machine learning models,” according to the report, “nearly 1 in 5 say their organization doesn’t allow AI/ML assistance in code creation due to security and compliance concerns.”
Looking ahead, Menashe predicts that the use of AI for coding will continue to grow, but cautions against the security risks that could arise. “We expect the number of companies using GenAI-developed code will continue to grow at an alarming rate given its demonstrable impact on developer productivity. However, it’s important for all developers and companies to know that employing such practices can have an immense impact on the security and compliance because GenAI cannot produce secure code despite such claims in their documentation,” he warned.
Menashe also highlighted a potential threat for 2024, stating, “One thing CISOs need to be on the lookout for in 2024 is attackers increasingly exploiting the fact that AI will sometimes make up libraries that don’t exist. Bad actors will prompt Chat GPT tools with queries from developers to see if the AI generated code includes made-up libraries. The attackers will then create those libraries so they appear legitimate. When a developer copies and pastes the code they unwittingly reference a malicious package.”
Key recommendations for securing software supply chains
As organizations navigate the ever-evolving software supply chain landscape, the JFrog report serves as a wake-up call to prioritize security and adopt a comprehensive approach to managing software vulnerabilities.
Menashe offers several key recommendations for IT leaders looking to better secure their software supply chains:
- “Organizations should prevent developers from downloading OSS packages directly from the internet, and instead use an artifact management solution as an intermediary to proxy public registries. This allows organizations to review and secure artifacts coming into their organization and proactively block malicious and unwanted packages before they reach the developer environment.”
- “They should manage all inputs (i.e. third-party and open-source packages) and outputs (builds) that make up a software release in a single system that has end-to-end application security seamlessly built-in. This ensures security policies are applied consistently across teams and workflows, and provides DevOps and Security teams a shared pane of glass from which to operate.”
- “Organizations should adopt anti-tampering approaches, such as code-signing, to ensure that nothing has changed about a potential release as it is matured. By signing potential releases and promoting it – not rebuilding – across environments as a piece of software matures, you can ensure that the software you’re releasing contains the secured, quality components you intended when it was originally compiled.”
By leveraging contextual scanning, consolidating security solutions, and proactively addressing the risks associated with AI-generated code, enterprises can fortify their software supply chains and safeguard against the hidden dangers lurking in their software ecosystems.
The JFrog report serves as a timely reminder that in the face of an ever-expanding attack surface, vigilance and a comprehensive approach to software supply chain security are more critical than ever.