At least one high or critical risk was present in 95% of organizations

Supply chain cybersecurity was examined in a recent report by OX Security. The report discovered that numerous applications had various vulnerabilities throughout the kill-chain stages, making them more susceptible to successful attacks.

The newly identified CVE-2024-3094 exploit, targeting XZ Utils in major Linux distributions, demonstrates that attackers still effectively utilize this tactic. The prevalent existence of these vulnerabilities in the report’s code samples emphasizes the ongoing risk.

Key findings include:

• The average AppSec team monitors 129 applications and handles over 119,000 security alerts annually.
• 95% of organizations had at least one high, critical, or apocalyptic risk within their software supply chain, with an average of nine such issues per organization.
• Analysis of attack phases revealed that 20% of all applications have high, critical, or apocalyptic issues during the Execution stage, where attackers strive to deploy malicious code.
• Although some newer tactics were identified, the three most commonly observed vulnerabilities: command injection (15.4% of applications), sensitive data in log files (12.4% of applications), and cross-site scripting (11.4% of applications) have all been present for many years.
• Six of the top ten most frequently observed vulnerabilities are connected to inadequate implementation of basic security practices such as authentication, encryption, exploit-able information in logs, and the principle of least privilege.
• Automated alert analysis aids in reducing noise: automated, contextual analysis significantly decreased the volume of overall alerts by more than 97%, speeding up the identification of critical alerts that organizations need to address.