How Many Cyber Threats Are Lurking in Your Supply Chain?

SolarWinds and Log4j remain two of the most notorious supply chain cyberattacks ever perpetrated. Both highlight the risk associated with relying on third-party software vendors without increased cyber diligence. With the SolarWinds attack in 2020, Russian threat actors injected malicious code into SolarWinds’ Orion network management software, compromising the operation and integrity of thousands of enterprises and government agencies worldwide. And with Log4j, an open-source logging tool used by millions of software apps and online services around the globe, an exploited vulnerability let attackers in November 2021 break into users’ systems, steal passwords, logins, and other data, and infect their networks with malicious code.

Software supply chains are under attack

Unfortunately, software supply chains are especially vulnerable to cyberattacks since modern software development relies on many off-the-shelf components, including open-source code and third-party APIs, which can be susceptible to compromise. Bad actors have taken note, with a 742% increase in software supply chain attacks over the past three years, including one successful attack happening every two days. By the end of this year, Gartner estimates that 45% of organizations will have experienced at least one supply chain attack.

Applying Zero Trust to the supply chain

With the central tenet of “never trust, always verify,” adopting a Zero Trust strategy has long been considered a cybersecurity best practice. And the SolarWinds and Log4j attacks reinforce that Zero Trust must extend beyond an organization’s employees, assets, and operations to encompass the entire supply chain in order to be effective. But software supply chain security is broader than just these two incidents. Here are some of the more common software supply chain attack vectors:

• Open-source repository attacks – Threat actors purposely upload malicious packages to open-source repositories to snare unsuspecting developers. It’s estimated that this attack type increased 150% in 2024 alone.
• Closed-source commercial software attacks – While open-source repositories may seem the most obvious target, a new report reveals that the most prominent threat actually lies in closed-source commercial software including exposed secrets, actively exploited security vulnerabilities, code tampering, and inadequate application hardening.
• Credential theft and unauthorized commits – A bad actor compromises a developer account or source code management system and then injects malicious code and/or publishes malicious packages. Most recently in March, a malicious GitHub Action commit resulted in a massive exposure of secrets, potentially compromising thousands of code repositories.
• LLMjacking – Using this relatively new attack vector, cybercriminals gain unauthorized access to companies’ generative AI platforms, including stolen access to large language models (LLMs) from OpenAI, Anthropic, DeepSeek, and more. This can result in AI model poisoning, intellectual property theft, and other adverse outcomes.
• Zero Day attacks on SaaS-based platforms – With increased reliance on low/no-code SaaS platforms like Atlassian and ServiceNow, bad actors seek to exploit vulnerabilities in customer workflows, automation scripts, and misconfigured environments. A single misconfigured Slack or SharePoint instance can expose sensitive data and/or enable lateral movement across other organizational assets.
• Publishing server or build system compromise – Bad actors have learned that many software vendors have traditionally applied less security diligence to publishing servers or build systems compared to production environments – leaving this attack vector a relatively more attractive target. With this type of attack, the cybercriminal accesses and exploits the operating system of the DNS server being used for publishing or build, which can then result in DNS hijacking, DNS cache poisoning, and more.

Getting and making sense of SBOMs

Central to each of these attacks is the integrity of the supplied software, which is why it is imperative for organizations to get a software bill of materials (SBOM) from each supply chain partner. This SBOM provides complete visibility into all software components in a partner’s application, including versions and dependencies. Organizations can then use this information to identify any potential vulnerabilities, prioritize patches and updates, assess their cyber risk posture, and proactively mitigate any cyber threats.

While that may seem simple enough, think again. The typical large organization uses 660 different SaaS applications. So, imagine having to check 660 different SBOMs for Log4j use or the latest vulnerability, all at a second’s notice. Plus, Microsoft reports that its customers are facing 600 million attacks daily. While not all of these are supply chain attacks, you can see the exponentially growing cyber task associated with each new SBOM and each new cyberattack.

At-a-glance supply chain visibility

CISOs need unified visibility across all their organization’s software supply chain vendors and SBOMs to stay ahead of this monumental lift. This is the value of taking a cryptographic security platform approach that provides complete at-a-glance supply chain visibility with a unified SBOM security, compliance, and risk dashboard. This lets CISOs quickly and easily identify potential supply chain vulnerabilities, prioritize patches and updates, assess cyber risk posture, and proactively mitigate cyber threats.

With a platform approach, software supply chain security becomes an integral component of an organization’s larger cryptographic data security program vs. an add-on. CISOs are empowered with complete at-a-glance visibility and control across the organization and its supplier ecosystem, realizing a true Zero Trust strategy.