OX Researchers Analyze Millions of Vulnerabilities Against the Industry’s First Supply-Chain Security Specific Attack Matrix

OX Security, the pioneer in Active Application Security Posture Management (Active ASPM), today issued the OSC&R community’s inaugural software supply chain threat report, "OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures." Based on a nine-month analysis of over 100 million alerts, tens of thousands of code repositories, and 140,000 real-world applications, the report is the first comprehensive analysis of the severity of vulnerabilities across the software supply kill chain. OSC&R in the Wild quantifies the ongoing challenge of detecting and remediating severe security risks among the 97% of benign alerts, and offers guidance for adopting a more proactive, attacker-centric security strategy.

The Open Software Supply Chain Attack Reference (OSC&R) framework, first published in early 2023, was developed collaboratively by cybersecurity veterans from OX Security, Microsoft, Oracle, GitLab, Fortinet, FICO, and more. OSC&R is a MITRE ATT&CK-like framework that gives organizations a single point of reference to proactively assess their strategies to secure their software supply chains. The goal of this inaugural OSC&R report is to help AppSec teams better understand how adversaries view and target the entire kill chain, and to help prioritize where best to focus their limited resources.

The report found that many applications contained multiple vulnerabilities spanning various stages of the kill-chain, leaving them even more vulnerable to a successful attack. And a surprising number of long-documented vulnerabilities were still frequently found in the wild. For instance, older tactics such as backdoor code insertion remain prevalent. The recently discovered CVE-2024-3094 exploit, targeting XZ Utils in major Linux distributions, shows that attackers still successfully use this method. The widespread presence of these vulnerabilities in the report’s code samples underscores the persistent risk.

Key Findings include:

  • AppSec teams face an unmanageable volume of alerts: The average AppSec team monitors 129 applications and triages over 119,000 security alerts annually.
  • Most organizations face high severity risks: 95% percent of organizations had at least one high, critical, or apocalyptic risk (the three highest rankings of severity) within their software supply chain, with the average organization having nine such issues
  • One in five applications contain run-time exposure: Analysis against attack phases showed that 20% of all applications have high, critical, or apocalyptic issues during the Execution stage, where attackers aim to deploy malicious code.
  • Older vulnerabilities are still the most common: While some newer tactics did appear, the three most frequently observed vulnerabilities: command injection (15.4% of applications), sensitive data in log files (12.4% of applications), and cross-site scripting (11.4% of applications) have all been around for many years.
  • Six of the top ten most commonly observed vulnerabilities are tied to poor implementation of fundamental security practices such as authentication, encryption, exploitable information in logs, and the principle of least privilege.
  • Automated alert analysis helps reduce the noise: automated, contextual analysis dramatically reduced the volume of overall alerts by more than 97%, accelerating the identification of the critical alerts organizations need to address.

“One of the questions our researchers sought to answer was whether there was alignment between the vulnerabilities found in the wild and the focus of AppSec teams,” said Neatsun Ziv, CEO of OX Security. “The data suggests there is a misalignment. We found significant vulnerabilities at every stage of the kill chain. The volume of vulnerabilities passing through the supply chain into live applications, and the high percentage of organizations reporting incidents, indicate that AppSec teams need to focus on both threat detection and fostering a culture of continuous improvement and adaptation in security practices.”

Utilizing the OSC&R framework with Application Detection and Response (ADR) and Application Security Posture Management (ASPM), organizations can gain a comprehensive understanding of their software supply chain vulnerabilities, adopting a more proactive, attacker-centric security strategy. This approach will help foresee potential threats and implement robust defenses, ultimately reducing the likelihood of severe vulnerabilities reaching production code.

“As reliance on software supply chains has increased for enterprise application development, attackers have been quick to exploit vulnerabilities within third-party code,” said David Cross, former Microsoft and Google cloud security executive and founding OSC&R member. “The OSC&R report underscores the critical importance of the OSC&R framework in addressing software supply chain vulnerabilities. The report not only highlights the pervasive nature of these threats but also provides a comprehensive methodology for AppSec teams to prioritize their efforts effectively. By leveraging the OSC&R framework, organizations can gain deeper insight into adversarial behaviors and better align their security strategies to mitigate risks. It's an invaluable resource for any organization looking to strengthen their software supply chain security posture.”

Download the full "OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures" report here.

About the OSC&R Community

The Open Software Supply Chain Attack Reference (OSC&R) community is a collaborative effort dedicated to enhancing the security of software supply chains. Launched in February 2023 and spearheaded by OX Security, the community includes cybersecurity veterans from OX Security, Microsoft, Oracle, GitLab, Fortinet, and FICO. These experts created the OSC&R framework, modeled after MITRE ATT&CK, to help organizations assess their software supply chain security strategies, identify vulnerabilities, and compare solutions effectively. As an open-source framework, OSC&R provides actionable insights into the tactics, techniques, and procedures (TTPs) used by adversaries to compromise software supply chains. By providing a standardized language and framework, OSC&R empowers the security community to proactively secure software supply chains and mitigate risks. For more information, visit pbom.dev or join the conversation and contribute to our Slack community.

About OX Security

At OX Security, we’re unifying application security (AppSec) with the first-ever Active ASPM platform, which ensures seamless visibility and traceability from code to cloud. Leveraging our proprietary AppSec Data Fabric, OSC&R framework, and Attack Path Reachability Analysis, OX delivers comprehensive security coverage, contextualized prioritization, and automated response and remediation throughout the software development lifecycle. Recently recognized as a Gartner Cool Vendor and a SINET 16 Innovator, OX is trusted by dozens of global enterprises and tech-forward companies. Founded by industry leaders Neatsun Ziv, former VP of CheckPoint’s Cyber Security business unit, and Lior Arzi from Check Point's Security Division, OX’s Active ASPM platform is more than a solution; it empowers organizations to take the first step toward eliminating manual AppSec practices while enabling scalable and secure development.

Suzanne Tuchler Eskenzi PR for OX suzanne@eskenzipr.com 408-307-6900