First Annual OSC&R Report Reveals 95% of Organizations Have at Least One Severe Security Risk Within their Software Supply Chain
17 Julio 2024 - 5:00AM
Business Wire
OX Researchers Analyze Millions of
Vulnerabilities Against the Industry’s First Supply-Chain Security
Specific Attack Matrix
OX Security, the pioneer in Active Application Security Posture
Management (Active ASPM), today issued the OSC&R community’s
inaugural software supply chain threat report, "OSC&R in the
Wild: A New Look at the Most Common Software Supply Chain
Exposures." Based on a nine-month analysis of over 100 million
alerts, tens of thousands of code repositories, and 140,000
real-world applications, the report is the first comprehensive
analysis of the severity of vulnerabilities across the software
supply kill chain. OSC&R in the Wild quantifies the ongoing
challenge of detecting and remediating severe security risks among
the 97% of benign alerts, and offers guidance for adopting a more
proactive, attacker-centric security strategy.
The Open Software Supply Chain Attack Reference (OSC&R)
framework, first published in early 2023, was developed
collaboratively by cybersecurity veterans from OX Security,
Microsoft, Oracle, GitLab, Fortinet, FICO, and more. OSC&R is a
MITRE ATT&CK-like framework that gives organizations a single
point of reference to proactively assess their strategies to secure
their software supply chains. The goal of this inaugural OSC&R
report is to help AppSec teams better understand how adversaries
view and target the entire kill chain, and to help prioritize where
best to focus their limited resources.
The report found that many applications contained multiple
vulnerabilities spanning various stages of the kill-chain, leaving
them even more vulnerable to a successful attack. And a surprising
number of long-documented vulnerabilities were still frequently
found in the wild. For instance, older tactics such as backdoor
code insertion remain prevalent. The recently discovered
CVE-2024-3094 exploit, targeting XZ Utils in major Linux
distributions, shows that attackers still successfully use this
method. The widespread presence of these vulnerabilities in the
report’s code samples underscores the persistent risk.
Key Findings include:
- AppSec teams face an unmanageable volume of alerts: The
average AppSec team monitors 129 applications and triages over
119,000 security alerts annually.
- Most organizations face high severity risks: 95% percent
of organizations had at least one high, critical, or apocalyptic
risk (the three highest rankings of severity) within their software
supply chain, with the average organization having nine such
issues
- One in five applications contain run-time exposure:
Analysis against attack phases showed that 20% of all applications
have high, critical, or apocalyptic issues during the Execution
stage, where attackers aim to deploy malicious code.
- Older vulnerabilities are still the most common: While
some newer tactics did appear, the three most frequently observed
vulnerabilities: command injection (15.4% of applications),
sensitive data in log files (12.4% of applications), and cross-site
scripting (11.4% of applications) have all been around for many
years.
- Six of the top ten most commonly observed
vulnerabilities are tied to poor implementation of
fundamental security practices such as authentication,
encryption, exploitable information in logs, and the principle of
least privilege.
- Automated alert analysis helps reduce the noise:
automated, contextual analysis dramatically reduced the volume of
overall alerts by more than 97%, accelerating the identification of
the critical alerts organizations need to address.
“One of the questions our researchers sought to answer was
whether there was alignment between the vulnerabilities found in
the wild and the focus of AppSec teams,” said Neatsun Ziv, CEO of
OX Security. “The data suggests there is a misalignment. We found
significant vulnerabilities at every stage of the kill chain. The
volume of vulnerabilities passing through the supply chain into
live applications, and the high percentage of organizations
reporting incidents, indicate that AppSec teams need to focus on
both threat detection and fostering a culture of continuous
improvement and adaptation in security practices.”
Utilizing the OSC&R framework with Application Detection and
Response (ADR) and Application Security Posture Management (ASPM),
organizations can gain a comprehensive understanding of their
software supply chain vulnerabilities, adopting a more proactive,
attacker-centric security strategy. This approach will help foresee
potential threats and implement robust defenses, ultimately
reducing the likelihood of severe vulnerabilities reaching
production code.
“As reliance on software supply chains has increased for
enterprise application development, attackers have been quick to
exploit vulnerabilities within third-party code,” said David Cross,
former Microsoft and Google cloud security executive and founding
OSC&R member. “The OSC&R report underscores the critical
importance of the OSC&R framework in addressing software supply
chain vulnerabilities. The report not only highlights the pervasive
nature of these threats but also provides a comprehensive
methodology for AppSec teams to prioritize their efforts
effectively. By leveraging the OSC&R framework, organizations
can gain deeper insight into adversarial behaviors and better align
their security strategies to mitigate risks. It's an invaluable
resource for any organization looking to strengthen their software
supply chain security posture.”
Download the full "OSC&R in the Wild: A New Look at the Most
Common Software Supply Chain Exposures" report here.
About the OSC&R Community
The Open Software Supply Chain Attack Reference (OSC&R)
community is a collaborative effort dedicated to enhancing the
security of software supply chains. Launched in February 2023 and
spearheaded by OX Security, the community includes cybersecurity
veterans from OX Security, Microsoft, Oracle, GitLab, Fortinet, and
FICO. These experts created the OSC&R framework, modeled after
MITRE ATT&CK, to help organizations assess their software
supply chain security strategies, identify vulnerabilities, and
compare solutions effectively. As an open-source framework,
OSC&R provides actionable insights into the tactics,
techniques, and procedures (TTPs) used by adversaries to compromise
software supply chains. By providing a standardized language and
framework, OSC&R empowers the security community to proactively
secure software supply chains and mitigate risks. For more
information, visit pbom.dev or join the conversation and contribute
to our Slack community.
About OX Security
At OX Security, we’re unifying application security (AppSec)
with the first-ever Active ASPM platform, which ensures seamless
visibility and traceability from code to cloud. Leveraging our
proprietary AppSec Data Fabric, OSC&R framework, and Attack
Path Reachability Analysis, OX delivers comprehensive security
coverage, contextualized prioritization, and automated response and
remediation throughout the software development lifecycle. Recently
recognized as a Gartner Cool Vendor and a SINET 16 Innovator, OX is
trusted by dozens of global enterprises and tech-forward companies.
Founded by industry leaders Neatsun Ziv, former VP of CheckPoint’s
Cyber Security business unit, and Lior Arzi from Check Point's
Security Division, OX’s Active ASPM platform is more than a
solution; it empowers organizations to take the first step toward
eliminating manual AppSec practices while enabling scalable and
secure development.
View source
version on businesswire.com: https://www.businesswire.com/news/home/20240717000658/en/
Suzanne Tuchler Eskenzi PR for OX suzanne@eskenzipr.com
408-307-6900