In 2023, data breaches reached a new record high, largely driven by zero-day and supply chain attacks, according to the Identity Theft Resource Center (ITRC). The annual data breach report highlighted a staggering 78% increase in data compromises, with 3,205 incidents reported, significantly surpassing previous years. It identified supply chain attacks as a primary entry point, and the number of organizations impacted has surged by more than 2,600 percentage points since 2018.
The European Union Agency for Cybersecurity’s (ENISA) latest report ranks supply chain compromise of software dependencies as the top threat with the highest impact for the next half a decade. These attacks are motivated by malicious intent, where threat actors target a trusted third-party vendor or supplier to gain access to an organization’s data.
90% of the world’s software is built with open source code, and attacks on OSS repositories have increased, with many incidents involving malicious packages designed to closely resemble legitimate ones.
Meanwhile, developers are drowning in alerts that have no chance of stopping a zero-day supply chain attack. Protecting your supply chain goes beyond the basics of keeping your software updated. Supply chain attacks can actually happen while you are updating your dependencies to newer versions, because they often leverage trusted software to embed malicious code.
Supply chain attacks are also more difficult to catch, especially when security teams spend most of their time tackling the endless barrage of lower level alerts:
- High Volume of False Positives: Approximately 90% of security teams report being overwhelmed by false-positive alerts, which do not indicate any actual security threat but still require investigation.
- Increasing Alert Volume: 70% of IT security leaders say the volume of security alerts they receive daily has more than doubled over the past five years.
- Time-Consuming Investigations: On average, it takes security analysts more than 10 minutes to investigate each security alert, leading to significant time expenditure on potentially non-threatening issues.
- Missed Alerts: Up to 30% of alerts go ignored or are not investigated due to the sheer volume of alerts, increasing the risk of missed genuine threats and delayed incident response.
- Burnout and Staff Retention Issues: The constant influx of alerts contributes to burnout among cybersecurity professionals, exacerbating the already existing skills shortage in the industry.
In 2024 Developers Cannot Rely on CVEs to Determine if OSS Packages are Safe#
Compounding the alert fatigue is the increasing unreliability of the NVD. NIST stopped enriching CVE’s in mid-February and the backlog of those awaiting analysis sits at 17,871. This includes more than 50% of known exploited vulnerabilities (KEVs), which are missing valuable details and context. The backlog further undermines the reliability of CVEs as the primary means of assessing software security.
Those who are solely relying on CVE data to determine the safety of their open source packages have an incomplete strategy at best and a catastrophic blindspot in the worst case scenario. The most recent high-profile supply chain attacks—such as the xz-utils attack in March 2024, the PyPI attack in March 2024, and the Ledger attack in December 2023—went undetected by legacy CVE scanners, highlighting their insufficiency in identifying modern threats.
Strategies for Prioritizing Detection of Malicious Intent#
While unpatched vulnerabilities are a significant security risk, the likelihood of any single vulnerability being actively exploited can vary widely. According to a 2023 report from the Qualys Threat Research Unit, in 2023, less than 1% of the 26,447 disclosed vulnerabilities posed the highest risk, being actively exploited in the wild by ransomware, threat actors, and malware.
Security teams cannot afford to focus on vulnerabilities to the exclusion of supply chain threats.
The malicious intent hidden in these threats is targeted to maximize impact, and once the supply chain is infiltrated, threat actors often have access to a large number of systems almost immediately.
Here are a few strategies for combating alert fatigue by prioritizing detection of malicious intent.
1. Modernize Your Security Tools to Focus on Real Threats
If your Software Composition Analysis (SCA) tools are not able to scan the actual source code of your dependencies to identify backdoors, obfuscated code, new capabilities, (network, filesystem, child processes, etc.), typosquatting, and other modern day supply chain threats, they need to be updated. To do this efficiently at scale, security teams will need to leverage tools powered by machine learning and LLMs moving forward.
Malicious packages fly under the radar and can easily slip through the cracks when adding a new dependency or updating an existing one. With many web applications numbering in the thousands to tens of thousands of dependencies, the attack surface is vast. Configure your tools to prioritize the threats that are capable of jeopardizing your organization with a swift and catastrophic outcome.
2. Empower Developers to Make Better Security Decisions
Adopt tools that provide actionable feedback about dependency risk instead of those that generate hundreds of meaningless alerts. Giving developers the right information in the context of their workflow will empower them to make better security decisions.
Securing an open source code base is like tending a diverse garden of living organisms. You’re going to have a mix of libraries that die or that get abandoned and need replacing, or ones that become so popular they become magnets for security exploits. Some will have midstream licensing changes to try to remain sustainable. Developers need to be empowered to make decisions here and prevent bottlenecks.
Shifting left is somewhat of a buzz word these days, but it needs to be done in a context-appropriate way that doesn’t just shift the responsibility to developers without giving them the tools to self-remediate issues. Software supply chain alerts make the most sense inline where code is being pushed and the conversation is happening. Give developers the tools to secure their dependencies instead of pushing the requirement further up the chain and deeper into the development lifecycle.
3. Enable Forward Momentum on Addressing Alerts
Alert fatigue can suffocate forward momentum and damage a team’s confidence in preventing actual supply chain threats. Developers and security teams need tools that will enable forward momentum and isolate supply chain threats that need to be addressed. The teams that are able to maintain a high level of action on a reasonable level of alerts are the ones that ultimately find success in building a culture of developing software that is secure by design.
To effectively manage the high volume of security alerts, the goal is to filter out the noise and focus on high-priority incidents. By leveraging automation, machine learning, and artificial intelligence, organizations can significantly reduce false positives and efficiently triage alerts, while prioritizing the identification of malicious intent. These technologies help identify critical risks, and provide actionable intelligence, allowing security teams to concentrate on the most pressing threats without being overwhelmed by irrelevant data. This approach enhances detection rates and ensures that human effort is directed where it is most needed.