One reason open source is popular in the enterprise is that it provides well-tested building blocks that can speed up the creation of sophisticated applications and services. But third-party software components and the convenience of packages and containers bring risks along with the benefits because the applications you build are only as secure as those dependencies.
Software supply chain attacks are becoming so widespread that Gartner listed them as the second biggest threat on for 2022. By 2025, the research firm predicts 45% of organizations globally will have experienced one or more software supply chain attacks — and 82% of CIOs think they will be vulnerable to them. These include attacks via vulnerabilities in widely used software components such as Log4j, attacks against the build pipeline (c.f., SolarWinds, Kaseya, and Codecov hacks), or hackers compromising package repositories themselves.
