The software supply chain is evolving at an unprecedented rate, exposing organizations to more threats than ever before. As companies race to innovate and developers struggle to keep up, they often find themselves adding a number of new tools, frameworks, and open-source components into their environments to ease the burden. While this drive for agility and innovation is essential for companies to maintain a competitive edge, it also introduces new layers of complexity and risk throughout the software supply chain. 

Each new tool introduces more complexity for developers and security teams, plus potentially unforeseen vulnerabilities that may be difficult to detect until it’s too late. As teams rely more heavily on open source and shared components, threats such as malicious packages, exposed secrets, and CVEs are multiplying at an alarming rate. 

In 2024 alone, security researchers disclosed over 33,000 new CVEs — a 27% increase from 2023, surpassing the 24.5% growth rate of new software packages. This rise in CVEs adds significant pressure on developers and security teams, potentially hindering innovation as they instead look to remediate these dangerous threats. 

Attackers are also quick to exploit these weak points, knowing that a single compromised component can trigger extensive consequences. In addition to immediate financial losses, organizations risk lasting reputational damage and erosion of customer trust if sensitive data is exposed. Take a recent breach to Marks and Spencer for example — cybercriminals not only disrupted critical operations, but also wiped out nearly $400 million from its group operating profits. 

The scale and speed at which these components are adopted can make it difficult for DevSecOps  teams to keep up, especially when resources are limited and priorities are constantly shifting. To remain competitive and resilient, organizations must be equipped with the right tools to face the most significant security risks head-on, while keeping pace with the ever-evolving threat landscape.

The top security concerns 

Software supply chains are facing a barrage of sophisticated, rapidly evolving cybersecurity threats that challenge even the most robust security postures. As organizations increasingly depend on third-party components, open-source libraries, and more, the attack surface has expanded dramatically. In this high-stakes landscape, safeguarding software supply chains has become a critical mission for organizations of all sizes.

Recent research found four key factors impacting the integrity and security of the software supply chain:

• Common Vulnerabilities and Exposures (CVEs): In 2024, over 33,000 new CVEs were disclosed — a 27% increase from 2023. Yet, only 12% of these CVEs rated "critical" truly warranted this score. It’s like a fire alarm constantly triggered by something minor like burnt toast — eventually, people begin to tune it out, increasing the risk of missing a real fire. This alert fatigue can create critical gaps in protection, exposing organizations to dangerous attacks which could have been prevented.

• Malicious packages: The growing popularity of public repositories allows threat actors to upload malicious packages that are masquerading as legitimate software. Developers under pressure to move quickly may unknowingly download these compromised packages, creating hidden entry points to launch devastating attacks against the enterprise. Without the proper vetting, monitoring, and controls in place, a single malicious package can cause a ripple effect through the software supply chain, resulting in widespread organizational risk.

• Secrets’ exposures: The accidental exposure of secrets such as API keys, credentials, and tokens, unintentionally left embedded in code remains a persistent and growing threat to organizations. In 2024 alone, 25,229 exposed secrets and tokens were detected in public repositories — a staggering 64% increase year-over-year. As developers continue to deliver new innovations at a rapid pace, the risk of secrets being unintentionally leaked also rises in parallel which can lead to significant impacts across the software supply chain.

• Misconfigurations/human errors: As environments become more complex and interconnected, the consequences of a single misstep are amplified and can expose the software supply chain to a range of risks such as exposing sensitive data or disrupting critical systems. This risk of human error rises when you consider pressures developers face to not only remediate critical vulnerabilities, but also prioritize new innovations in software development. Without the proper tools in place, human error driven threats will only increase.

While the volume of threats to the software supply chain continues to rise, building security into software development from the very beginning can help ensure a more proactive line of defense against these pervasive threats. This also gives security leaders greater flexibility with the open-source or publicly developed AI/ML code, better control over their software development, limits CVE exploitation, and the confidence to innovate securely in a complex digital landscape. 

Shift left to stay ahead 

As the software supply chain grows more complex and dynamic, the risks facing organizations multiply — and so does the need for stronger, more adaptive security measures. Conventional security methods are falling short in today’s threat landscape, as security teams are often unaware of critical vulnerabilities facing their organizations until it’s too late.

For example, a significant number of organizations still allow developers to pull software components directly from public registries without validation that they are secure. While the practice may be convenient and expedient, it opens the door to organization-wide risk and limits traceability which is the lifeblood of a secure software supply chain. 

To help teams stay vigilant and better remediate against these prominent threats to their software supply chains, security leaders should embody the “shift left” mentality to bake security into every step of the development lifecycle. This includes deploying tactics such as contextual analysis for CVEs, constantly scanning for malicious packages before they are introduced into an environment, building in secrets detection mechanisms, and more to better protect every level of the software supply chain. 

Security leaders must embrace robust cyber hygiene practices, such as scanning at both the code and binary levels, integrating curation with secrets detection, and applying advanced contextual analysis throughout the software development life cycle. By proactively reinforcing every stage of development, organizations can outpace evolving threats and build a stronger, more resilient software supply chain.