OX Security, the pioneer in Active Application Security Posture Management (Active ASPM), today issued the OSC&R community’s inaugural software supply chain threat report, “OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures.” Based on a nine-month analysis of over 100 million alerts, tens of thousands of code repositories, and 140,000 real-world applications, the report is the first comprehensive analysis of the severity of vulnerabilities across the software supply kill chain. OSC&R in the Wild quantifies the ongoing challenge of detecting and remediating severe security risks among the 97% of benign alerts, and offers guidance for adopting a more proactive, attacker-centric security strategy.
The Open Software Supply Chain Attack Reference (OSC&R) framework, first published in early 2023, was developed collaboratively by cybersecurity veterans from OX Security, Microsoft, Oracle, GitLab, Fortinet, FICO, and more. OSC&R is a MITRE ATT&CK-like framework that gives organizations a single point of reference to proactively assess their strategies to secure their software supply chains. The goal of this inaugural OSC&R report is to help AppSec teams better understand how adversaries view and target the entire kill chain, and to help prioritize where best to focus their limited resources.
The report found that many applications contained multiple vulnerabilities spanning various stages of the kill chain, leaving them even more vulnerable to a successful attack. And a surprising number of long-documented vulnerabilities were still frequently found in the wild. For instance, older tactics such as backdoor code insertion remain prevalent. The recently discovered CVE-2024-3094 exploit, targeting XZ Utils in major Linux distributions, shows that attackers still successfully use this method. The widespread presence of these vulnerabilities in the report’s code samples underscores the persistent risk.
Key Findings include:
- AppSec teams face an unmanageable volume of alerts:
- ]Most organizations face high severity risks: 95% percent of organizations had at least one high, critical, or apocalyptic risk (the three highest rankings of severity) within their software supply chain, with the average organization having nine such issues
- One in five applications contain run-time exposure: Analysis against attack phases showed that 20% of all applications have high, critical, or apocalyptic issues during the Execution stage, where attackers aim to deploy malicious code.
- Older vulnerabilities are still the most common: While some newer tactics did appear, the three most frequently observed vulnerabilities: command injection (15.4% of applications), sensitive data in log files (12.4% of applications), and cross-site scripting (11.4% of applications) have all been around for many years.
- Six of the top ten most commonly observed vulnerabilities are tied to poor implementation of fundamental security practices such as authentication, encryption, exploitable information in logs, and the principle of least privilege.
- Automated alert analysis helps reduce the noise: automated, contextual analysis dramatically reduced the volume of overall alerts by more than 97%, accelerating the identification of the critical alerts organizations need to address.
“One of the questions our researchers sought to answer was whether there was alignment between the vulnerabilities found in the wild and the focus of AppSec teams,” said Neatsun Ziv, CEO of OX Security. “The data suggests there is a misalignment. We found significant vulnerabilities at every stage of the kill chain. The volume of vulnerabilities passing through the supply chain into live applications, and the high percentage of organizations reporting incidents, indicate that AppSec teams need to focus on both threat detection and fostering a culture of continuous improvement and adaptation in security practices.”
Utilizing the OSC&R framework with Application Detection and Response (ADR) and Application Security Posture Management (ASPM), organizations can gain a comprehensive understanding of their software supply chain vulnerabilities, adopting a more proactive, attacker-centric security strategy. This approach will help foresee potential threats and implement robust defenses, ultimately reducing the likelihood of severe vulnerabilities reaching production code.
“As reliance on software supply chains has increased for enterprise application development, attackers have been quick to exploit vulnerabilities within third-party code,” said David Cross, former Microsoft and Google cloud security executive and founding OSC&R member. “The OSC&R report underscores the critical importance of the OSC&R framework in addressing software supply chain vulnerabilities. The report not only highlights the pervasive nature of these threats but also provides a comprehensive methodology for AppSec teams to prioritize their efforts effectively. By leveraging the OSC&R framework, organizations can gain deeper insight into adversarial behaviors and better align their security strategies to mitigate risks. It’s an invaluable resource for any organization looking to strengthen their software supply chain security posture.”
Download the full “OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures” report here
