More than three-fifths (61%) of US businesses have been directly affected by software supply chain threats in the past year, according to a new Capterra report.
This online marketplace vendor surveyed 271 IT and IT security professionals to better understand the risks that US businesses are exposed to third-party software vulnerabilities.
Half of the respondents rated the software supply chain threat as “high” or “extreme,” while another 41% claimed the risk was moderate.
Captera, which is owned by analyst firm Gartner, said open source software was the main source of supply chain risk. The report found that 94% of U.S. businesses now use some form of it, and more than half (57%) use multiple open source platforms.
“These numbers are probably just the beginning,” argued Capterra analyst Zach Capers. “Most software platforms that are not fully open source include a number of open source his packages that developers leverage to speed up production.”
Read more about open source threats: Tech giants team up on open source security after White House meeting
In fact, open source threats have been cataloged many times. Sonatype recorded a 742% increase in supply his chain malware in upstream open source packages between 2019 and 2022. Meanwhile, the Linux Foundation revealed that the average application development project contains 49 vulnerabilities across 80 direct dependencies.
Capers argued that app sprawl contributes to cyber risk in this space, saying that retailers who have experienced cyberattacks in the past two years have reported more Revealed they are more than twice as likely to report being affected by app sprawl. (53% vs. 22%).
He recommended that organizations require software bills of materials (SBOMs) from vendors and open source providers to reduce app sprawl and better track individual components.
However, only half (49%) of respondents currently do so.
Other recommended actions include a formal risk assessment of the software supply chain, which 64% of companies are currently conducting, privileged access controls (61%), and honeypot deployment (34%).
