More than three-fifths (61%) of US businesses have been directly impacted by a software supply chain threat over the past year, according to a new report from Capterra.
The online marketplace vendor polled 271 IT and IT security professionals to better understand the risk exposure of US companies to vulnerabilities in third-party software.
Half of respondents rated the software supply chain threat as “high” or “extreme,” with another 41% claiming the risk is moderate.
Capterra, which is owned by analyst house Gartner, pointed to open source software as a key source of supply chain risk. It is now used by 94% of US companies in some form, with over half (57%) using multiple open source platforms, the report revealed.
“Those numbers are likely only the beginning,” argued Capterra analyst Zach Capers. “Most software platforms that are not fully open source include a lot of open source packages that developers leverage to speed up production.”
In fact, the open source threat has been cataloged many times. Sonatype recorded a 742% increase in supply chain malware planted in upstream open source packages between 2019 and 2022, while the Linux Foundation revealed that the average application development project contains 49 vulnerabilities spanning 80 direct dependencies.
Capers claimed that app sprawl is contributing to cyber risk in this area, revealing that retailers that have experienced a cyber-attack in the past two years are more than twice as likely to report being impacted by app sprawl as those that did not experience an attack (53% versus 22%).
Alongside reducing app sprawl, he recommended organizations request a software bill of materials (SBOM) from vendors and open source providers, so that they can better track individual components.
Yet only half (49%) of respondents are doing so currently.
Other recommended actions included formal risk assessments of the software supply chain, which 64% of businesses are currently conducting, privileged access management (61%) and deployment of honeypots (34%).