Supply chain cybersecurity was analyzed in a recent report by OX Security. The report found that many applications contained multiple vulnerabilities spanning various stages of the kill-chain, leaving them even more vulnerable to a successful attack. 

The recently discovered CVE-2024-3094 exploit, targeting XZ Utils in major Linux distributions, shows that attackers still successfully use this method. The widespread presence of these vulnerabilities in the report’s code samples underscores the persistent risk.

Key findings include:

• The average AppSec team monitors 129 applications and triages over 119,000 security alerts annually.
• 95% percent of organizations had at least one high, critical, or apocalyptic risk (the three highest rankings of severity) within their software supply chain, with the average organization having nine such issues.
• Analysis against attack phases showed that 20% of all applications have high, critical, or apocalyptic issues during the Execution stage, where attackers aim to deploy malicious code.
• While some newer tactics did appear, the three most frequently observed vulnerabilities: command injection (15.4% of applications), sensitive data in log files (12.4% of applications), and cross-site scripting (11.4% of applications) have all been around for many years.
• Six of the top ten most commonly observed vulnerabilities are tied to poor implementation of fundamental security practices such as authentication, encryption, exploitable information in logs, and the principle of least privilege.
• Automated alert analysis helps reduce the noise: automated, contextual analysis dramatically reduced the volume of overall alerts by more than 97%, accelerating the identification of the critical alerts organizations need to address.