Effective Offensive Security Strategies to Minimize Supply Chain Risk

In the modern software-dominated digital economy, attacks on the supply chain are no longer a hypothetical or theoretical threat, but a real and rising concern for CISOs worldwide. Why?

• A 2024 report found that 70.2% of applications have flaws in third-party code.
• In 2024, 72% of security professionals identified software supply chain security as their biggest blind spot, which is unsurprising when you consider that 95% of teams are now using 20 or more tools to manage application security.¹
• The global annual cost of software supply chain attacks to businesses is predicted to reach $60 billion in 2025, and $138 billion by 2031.²

A software supply chain consists of all the code, components, libraries, binaries, and scripts that constitute a piece of software throughout the software development lifecycle (SDLC). While many of these elements are part of paid/licensed software, many others are part of free and open-source software (FOSS). Regardless of the software type, it may contain security vulnerabilities that leave organizations at risk of serious supply chain attacks.

So how can both software vendors and security practitioners minimize the risk of such attacks? This blog will explore some effective strategies to accomplish this.

Software Supply Chain Attacks: The Risks

It’s a given that many software applications contain vulnerabilities that can be exploited by cybercriminals to launch large-scale cyberattacks on multiple organizations and potentially cause widespread damage. The HeathEquity supply chain attack that occurred in August 2024, for example, impacted 4.5 million customers nationwide. This attack was executed through a third-party software partner’s personal device, demonstrating the ability of one seemingly small third-party connection to cause widespread damage.

Inherent Risks of Open Source Software

Many organizations use open-source software (OSS), and code of APIs to help lower development costs, accelerate the SDLC to respond faster to market or user requirements, and avoid vendor lock-in. For all these reasons, 40% of companies report that more than 50% of their code is composed of third-party, free, or open-source software,³ and almost 96% of modern software programs include some kind of OSS component.⁴ However, attacks on software supply chains commonly target open-source software (OSS), code, or APIs.

Unfortunately, as many as half of all applications include high-risk vulnerabilities due to OSS, leaving companies vulnerable to supply chain attacks.⁴ The risk of attack can arise from numerous attack pathways, including:

• Known vulnerabilities in third-party software
• Previously unknown vulnerabilities in third-party code (“zero day” exploits)
• Insecure third-party APIs
• Secrets stolen from source code repositories
• Misconfigured cloud services
• Compromised credentials from services accounts or privileged user accounts

Any of these pathways can be used by attackers to introduce malware into enterprise networks, and since they can use it to help them lock devices, force downtime, steal sensitive or confidential data, or illegally mine cryptocurrencies, it’s no surprise that CISOs across the globe are staying vigilant against these attacks. To avoid such potentially devastating consequences, enterprises are proactively implementing strategies to identify and mitigate these risks.

Software Supply Chain Attacks: Strategies to Minimize the Risks

Software supply chain attacks are a huge red flag that requires collective action from both software-consuming and software-developing organizations.

In most organizations, free or open-source software is not subject to thorough security scrutiny, which is where most of the risk of supply chain attacks comes from. For this reason, the OpenSSF’s Open-Source Consumption Manifesto encourages software-consuming organizations to evaluate every piece of OSS for security vulnerabilities and to vet the quality of all OSS code before implementing the software.⁵

It’s also critical for companies to buy software licenses or download OSS components only from trusted vendors or developers. To assess vendor trustworthiness, it’s helpful to set up a rigorous process to identify and onboard new vendors. Detailed guidelines or checklists can help simplify vendor background checks, history checks, performance audits, and certification reviews, which can then aid in identifying security-conscious vendors and guide in the purchase of secure-by-design software products.

Other crucial strategies that can help businesses to minimize the risk of software supply chain attacks:

• Regularly scan the software environment to uncover, understand, and mitigate emerging/new risks.
• Apply security patches and updates to all software as soon as they become available.
• Maintain an up-to-date software inventory to enable continuous attack surface management (ASM), discovery, and risk mitigation.
• Conduct regular penetration tests, ideally with a Penetration Testing as a Service provider, to accurately identify risks, predict exploitable vulnerabilities, and reduce the size of the attack surface.

Finally, if an attack does happen despite the above precautions, a comprehensive and well-tested incident response process can help to accelerate remediation and minimize the incident’s impact.

How software developers can minimize the risk

Software vendors and OSS developers (and communities) play an even bigger role in minimizing the risk of supply chain attacks to consumer organizations. To start with, vendors can incorporate security testing processes throughout the SDLC. Early and frequent testing will help them to identify vulnerabilities before product deployment and implement appropriate remediations before an attack can manifest.

Additionally, DevSecOps teams must collaborate closely to identify and mitigate risks prior to deployment. They must also apply established security models like SLSA or S2C2F to better secure software packages, protect organizations, and create more trust across the software supply chain.

Some other strategies that software producers can adopt to reduce the risk of supply chain attacks:

• Perform code reviews prior to merging.
• Avoid checking binary artifacts into the repository.
• Pin project dependencies to specific versions.
• Ensure that all automated workflow tokens follow the principle of least privilege.
• Use an API fuzz testing tool to catch vulnerabilities during the development phase or early in the deployment cycle.

Despite these precautions, it may not be possible for vendors to completely eliminate the risk of supply chain attacks. However, they can offer strategic guidance and ongoing support to help organizations to mitigate the risk and to use their software in a safer, more productive way.

Strengthen the Security of Your Software Supply Chain with BreachLock

As organizations increasingly rely on software to drive innovation and business growth, understanding and managing software supply chain risks has never been more crucial. BreachLock’s Offensive Security solutions empower you to proactively identify, prioritize, and remediate these risks before they can be exploited by threat actors.

Leveraging our analyst-recognized Attack Surface Management (ASM) solution, you gain deep contextual insights into your exposed software assets, enabling a more targeted and effective penetration testing strategy. Our continuous penetration testing services provide comprehensive coverage across your applications, networks, APIs, and IoT devices, ensuring your defenses are always a step ahead of evolving threats.

Ready to elevate your software supply chain security with BreachLock? Schedule a free discovery call today and take the first step toward a more resilient security posture.

About BreachLock

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing Services , and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know your risk. Contact BreachLock today!