Most severe supply chain attacks occur due to third-party dependencies

Software supply chain attacks occur primarily because most software development involves using third-party dependencies. 

The most severe attacks occur on a “Zero Day,” which refers to vulnerabilities that have been discovered without any available patch or fix, according to William Manning, solution architect at DevOps platform provider JFrog, in an ITOps Times Live! on-demand webinar “Zero Day doesn’t mean Zero hope – Fast detection / Fast remediation.”

These types of vulnerabilities can severely impact a company’s reputation, credibility, and financial stability, and there are three variations of Zero Day attacks that can occur: vulnerabilities, exploits, and attacks. For example, an attacker can use a zero-day exploit to gain initial access to a system and then use a software supply chain attack to install a persistent back door or malware on the compromised system.

The time it takes for organizations to recognize these attacks has also gone up from 12 days in 2020 to 42 days in 2021, according to Manning. Managing the blast radius to lower the mean time to remediation (MTTR) is one of the first steps that an organization should take. 

“One of the things, whenever I discuss this with customers, is how do you know not only what’s affected, but when it was affected, and how long you’ve been affected? And what else it’s affected?” Manning said. “When you find something, what’s the blast radius of affecting your organization in terms of software development, and knowing that 80% of the public exploits that are out there are actually done before a CVE is even published.” 

Managing zero-day vulnerabilities that can prevent these software supply chain attacks can also be a time-consuming process. That’s why organizations have to strike a delicate balance, according to Manning.

“Developers are artists in what they do and their palette and medium that they use to express themselves is of course the code that they produce, but that also includes the actual transitive dependencies, both direct and indirect,” Manning said. “You want to be able to go ahead and make sure that they’re building safe software for your company for things like reputation and revenue, but you don’t want to hinder the software developer’s ability to do what they do.” 

Be sure to check out this webinar to learn more about how to use the JFrog Platform to combat potential threats within the organization throughout the whole SDLC through front-line defense, identifying the blast radius, using JIRA and Slack integrations, and more.