Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
Aqua Security 2023 Predictions: Software Supply Chain Threats Will Grow and Evolve in 2023

vmblog-predictions-2023 

Industry executives and experts share their predictions for 2023.  Read them in this 15th annual VMblog.com series exclusive.

Software Supply Chain Threats Will Grow and Evolve in 2023

By Eilon Elhadad, Senior Director, Supply Chain, at Aqua Security

It's been nearly two years since the infamous SUNBURST attack, and the software supply chain continues to be a prominent attack vector. In fact, these attacks have continued to grow and evolve in both the public and private sectors. Despite more effort in the last several years to combat them, according to a report, more than one-third of organizations have been exploited due to a known open source software vulnerability in the last 12 months, and 28% have been impacted by a zero-day exploit.

The critical nature of these threats has prompted nationwide concern. In 2021, the White House issued EO 14028, Improving the Nation's Cybersecurity. But as threats in 2022 continued to escalate, the White House issued a memo in September, Enhancing the Security of the Software Supply Chain Through Secure Software Development Practices, which detailed the effective dates by which agencies must ensure that the software they are procuring (and have previously procured) is compliant.

The Expanding Attack Surface

We've seen time and again how business needs guide technology innovation, and along with this advancement come new areas of risk. Over the past few years, increasing pressure to deliver software faster has widened attack surfaces and introduced severe vulnerabilities - much as in the early days of cloud adoption. New tools, languages and frameworks that support rapid development at scale are being targeted by malicious actors, who understand the catastrophic impact that results from attacks to the software supply chain. In one example from 2022,  a vulnerability in Travis CI, a tool used by over 900,000 open source projects, exposed tens of thousands of user tokens, opening them up to cyber attacks.

Expectations for 2023

Moving forward, software supply chain threats will continue to be a significant area of concern for both the public and private sectors. We will see less sophisticated attacks like SolarWinds, as well as more attacks like those targeting Log4J, Spring4Shell and OpenSSL, which are used massively across code and production. These attacks have a larger potential blast radius to allow hackers to impact entire markets and wreak havoc for organizations.

After years of discussions about DevSecOps, 2023 will bring wide adoption as securing software rises to the top of the CISO priority list. Along with this development will come innovation and the adoption of new technologies that enable DevSecOps and help companies contend with the onslaught of threats to the software supply chain. Global sales of technologies to secure the software development cycle were $3.7 billion last year and expected to more than double, to $9.2 billion, in 2026. In the coming year, CISOs will prioritize spending on solutions for software composition analysis, SBOMs, and ways to secure the toolchain, and they will look for better ways to measure the health of open source components.

Escalating threats and rising demand for solutions that secure the supply chain have already been a catalyst for growth in the security market, and we can expect this trend to continue in 2023. In a niche space that only had a few companies specializing in software supply chain security, we have already seen a dozen new players enter the market. These companies have focused on three primary areas - securing the software supply chain from code to CI/CD toolsets to deployment, creating marketplaces for CI/CD code scanning, and addressing the health of open source software. This surge in competition will be great for end users as it will fuel a surge in innovation in the space that can potentially enable huge, industry-wide progress.

##

ABOUT THE AUTHOR

eilon-elhadad 

Eilon is the senior director of software supply chain security at Aqua Security. Previously, he was co-founder and CEO of Argon Security, a company acquired by Aqua in 2021. Argon was the industry's first dedicated solution for protecting the full lifecycle of the software supply chain. Prior to founding Argon, Eilon served in the elite 8200 Unit in the Israeli Intelligence Corps, where he led development projects in defensive cybersecurity and evasion of targeted cyber threats. He was responsible for the R&D of the cybersecurity unit and finished his service with the rank of captain. He holds a B.Sc. and M.Sc. in computer science and is a graduate of Mamram. When he is not working, he enjoys spending time with his friends and playing sports. 

Published Friday, December 23, 2022 7:35 AM by David Marshall
Get This Featured White Paper: The Guide to Choosing Backup Storage
You may also be interested in this white paper: Gorilla Guide to Real-Time Ransomware Detection and Recovery
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Customer Connect
Global Digital
DTX
DTW-NA
innovatrix
GISEC
global-digital-cx
vExpert
Calendar
<December 2022>
SuMoTuWeThFrSa
27282930123
45678910
11121314151617
18192021222324
25262728293031
1234567