Open-Source Software—Is Your Supply Chain at Risk?
More and more software development teams are making use of open-source software components when developing and building modern enterprise applications.
There are a multitude of reasons driving this trend with the two primary ones being overall cost-savings and a dramatic reduction in time-to-market, providing a competitive edge for software providers.
Open-Source—The New Attack Vector
With the use of open-source software on the rise, it has become a lucrative attack vector for cybercriminals, with attacks on open-source software increasing by over 650% in 2021 according to a recent Software Supply Chain report by Sonatype.
Cybercriminals are exploiting known vulnerabilities in open-source software.
Further yet, cybercriminals are introducing vulnerabilities directly into open-source components that are then introduced to the commercial software supply-chain through automated DevOps tools.
Am I at Risk—Perception vs. Reality?
The high-profile SolarWinds supply-chain cyberattack in December 2020 was an eye-opening event for many enterprises and government organizations.
This attack demonstrated that a well-funded bad actor can design and execute a sophisticated multi-stage supply-chain cyberattack capable of breaching an organization’s defenses and remaining undetected for long periods of time while conducting nefarious activities, including espionage.
As the use of open-source components is rapidly growing and being used within almost all commercial enterprise software, it’s become apparent that this is a rapidly growing attack surface that’s already being actively exploited by cybercriminals.
The widespread Log4Shell vulnerability shined a spotlight on how pervasive open-source components have become, and how long it can take to identify whether you’re impacted and then remediate the vulnerability.
The reality is that your organization is almost certainly using open-source components within its technology stack.
How to Protect Your Assets—What’s in Your SBOM?
The first thing to do is be aware of what open-source components exist within your enterprise application stack.
Request a software bill of materials (SBOM) from all your technology providers so you have a clear understanding of what open-source components exist within your technology stack.
There are also scanners available that can generate an SBOM automatically from the application binary.
Understanding what components are in each application is invaluable when the next Log4Shell like vulnerability is announced.
This information will empower your organization to immediately assess its exposure and take a proactive response to address it.
Bottom Line
Open-source components within enterprise software are growing and this trend is expected to continue.
This has created an expanding attack surface for cybercriminals looking to exploit the software supply chain.
Enterprises need to partner with their technology providers to ensure transparency and proactively identify, minimize, and mitigate any future security issues identified in their software stacks.
Conversational AI—Putting Digital Labor to Work
Conversational AI continues to evolve and improve throughout 2022 and is being adopted broadly across the enterprise.
Significant improvements in AI algorithms and the hardware they run on have combined to enable technology providers to deliver solutions that in many cases are changing how work is done.
Join Aragon Research Sr. Director of Research, Craig Kennedy, on November 9, 2022, where he will discuss the current state of Conversational AI and why it is now a must have technology for the digital enterprise.
This webinar will cover:
- How did chatbots get so darn smart?
- What are some of the key trends in conversational AI in 2022?
- Why should enterprises employ conversational AI?
This blog is a part of the Digital Operations blog series by Aragon Research’s Sr. Director of Research, Craig Kennedy.
Missed an installment? Catch up here!
Blog 1: Introducing the Digital Operations Blog Series
Blog 2: Digital Operations: Keeping Your Infrastructure Secure
Blog 3: Digital Operations: Cloud Computing
Blog 4: Cybersecurity Attacks Have Been Silently Escalating
Blog 5: Automation—The Key to Success in Today’s Digital World
Blog 6: Infrastructure—Making the Right Choices in a Digital World