A Deep Dive on Software Supply Chain 

NightDragon was honored to participate in the 2023 Cisco CISO Survival Guide, including providing an in-depth analysis of our perspective on the evolution and growth being experienced in the software supply chain market.

Over the last two years, attacks and vulnerabilities such as Log4j, SolarWinds, and Kaseya have opened our eyes to the risks lurking in our software supply chain. Additionally, we have seen supply chain attacks more recently at Fortra, 3CX, Progress Software and many others. According to the 2022 Verizon Data Breach Report, 62% of intrusion incidents in the past year were due to vulnerabilities exploited in the software supply chain. 

These incidents have led to highly disruptive cyberattacks, not only for the directly impacted business but also for the vendors with whom they have a customer or partner relationship. As an example, Log4j allowed attackers to remotely take over computers around the world by inserting malicious code and exposing hundreds of thousands of systems to attack or ransomware. Given the widespread use of this open source library, these issues may continue to cause problems for decades.

Software supply chain risks did not emerge overnight. Today, 90% of IT leaders leverage open source code, which is largely developed outside of their control. Meanwhile, according to one report, 98% of applications analyzed included open source software libraries, expanding their threat landscape dramatically. Agile software development operations have drastically accelerated the pace and frequency of new features and capabilities, bringing many benefits in terms of innovation but also introducing potential new cycles of risk. Additionally, an increasingly distributed workforce and the use of cloud-native systems make it even more difficult to gain visibility and correct issues that may arise.

Regulators have noticed this rising risk and are actively discussing or rolling out new requirements for securing the software supply chain. Secure by Design efforts and Software Bill of Materials (SBOM) initiatives, in particular, have gained traction over the past year from government officials.

As we’ve looked to raise defenses against rising software supply chain risk, we’ve found current security approaches to be fragmented and insufficient. Legacy solutions fail to identify subtle threats sown throughout the lifecycle of the software supply chain. While they assess code at snapshots in time, they fail to account for the iterative nature of the software development process. Constant, continuous processes are needed to capture the entire risk spectrum. Code-level solutions fail to identify broader risks associated with the software delivery pipeline, such as access management, malicious behavior detection, and other risks beyond vulnerable code.

“Third parties are a black box to us,”

CISO of Top 10 Medical Insurance company

To gain control over the spread of software supply chain risks, organizations need to think strategically about their software supply chain and focus on solutions that can identify, manage, and address the risks quickly, continuously, and at scale. Categories such as code vulnerability and scanning, open source governance, delivery pipeline posture management, and third-party risk management have emerged to help mitigate different aspects of the software supply chain risk spectrum. 

In the report for Cisco alongside other leading VCs, NightDragon examined the startup landscape for this sector, as well as surveyed CISOs as to what trends they are watching in this sector and how they view the rising risk landscape. NightDragon additionally has made investments in this sector, including leading an investment in Interos, who falls in the third-party risk management category. 

Additionally, some takeaways from the survey include:

  • 70% of CISOs said software supply chain is a top investment priority for them 
  • 96% of CISOs surveyed said they are using or considering using software supply chain solutions in the next 12 months 
  • 81% of CISOs said they expect software supply chain security to increase as a priority within the next 3-5 years
  • 55% said compliance concerns were their top pain point driving investments around software supply chain 

To read the full analysis, including further findings on software supply chain and other deep dives on the identity, data and collaboration and cloud security markets from Cisco Investments, Forgepoint Capital and Team8, please download the full report. 

NightDragon continues to explore interesting opportunities in this space. If you’re a founder or building in this space, we’d love to meet with you. Feel free to email us at morgan@nightdragon or hannah@nightdragon.com