As we move deeper into 2023, reflection on 2022 shows that many issues around the software supply chain have changed dramatically. Software supply chain attacks increased, and the shift in market conditions with heavy tech layoffs combined with regulatory changes and digital transformation efforts launched during the pandemic created a complex security dynamic for organizations.
Given this change, a few important trends have unfolded. First, as the software supply chain in general has been poorly understood (and even more poorly defended), attackers have taken note.
Attacks have escalated exponentially over the past year, highlighting how software developers are now seen as high-value targets. It’s recently demonstrated by breaches at CircleCI, Okta, and LastPass, all emerging from the undefended workstations of software development staff. On top of this, we’ve seen other types of attacks, such as ransomware, begin to converge with these new software supply chain delivery channels. It’s clear that bad actors are looking to the open-source ecosystem as an initial access point to then escalate more sophisticated attacks.
In 2023, software supply chains will only become more enticing to attackers, just as resources get stretched thinner. Tech companies are experiencing layoffs at a time when DevSecOps and application security teams are already overburdened with managing the huge volume of findings their existing tools are producing. These teams are now tasked with implementing the new compliance requirements that have surfaced with the emerging software bill of materials (SBOM) mandates and must referee the legal risks and complexities that will come with shipping full manifests to all of their clients and consumers. These same teams are also on the hook to get arms around the new breed of software supply chain attacks that are targeting enterprises heavily. This will force companies to find ways to do more with less.
Given the level of success attackers have seen thus far in infiltrating organizations through these vectors, expect to see a continuation of this uptick in software supply chain compromises. On top of this, many of the new hygiene initiatives around the open-source ecosystems (such as the OSSF AlphaOmega initiative) mean that we'll see many more findings in the vein of Log4J that development and security teams will need to fix. Additionally, potential regulatory changes will ultimately mean many thousands of lost development hours if the automation problems that exist today with many security and development programs are not addressed.
In short, many trends have emerged over the last year that have pushed software supply chain security to the forefront of the conversation. This shift in the security landscape resulted in many organizations scrambling to understand massive amounts of unrealized risk exposure, a bevy of changes to regulations, and a large amount of added scrutiny to parts of their security posture that up until recently have been left fallow. These changes, along with shifting market conditions that will inevitably mean tighter budgets, will require an evolution around how security organizations think about defending the software supply chain.
Technology, like automation with high-fidelity outputs, and policy enforcement will play a big role in overcoming these challenges. More important, the adoption of those tools and policies will require development and security teams to align and work more closely. Hopefully, this year we’ll see these teams come together to adopt true, robust DevSecOps.
Aaron Bray, co-founder, Phylum