In a dramatic shift, the 2024 version of the Verizon Business Data Breach Investigations Report (DBIR) sounds the alarm about the growing link between data breaches and the vulnerability of the software supply chain – and calls on enterprises to hold their software suppliers to a higher standard for software security. 

Released this week, the 2024 Verizon DBIR found that breaches stemming from third-party software development organizations played a role in 15% of the more than 10,000 data breaches Verizon documented, a 68% jump from last year’s report — prompting Verizon to call on organizations to “start looking at ways of making better choices” about which software providers they choose to work with “so as to not reward the weakest links in the chain.”

The 2024 DBIR represents Verizon’s deepest look to date into software supply chain threats. That was made possible, in part, by the anonymized data from ReversingLabs’ Spectra Assure, which was shared with Verizon Business. ReversingLabs’ software supply chain threat data was combined with other threat intelligence for the 2024 report. In addition, ReversingLabs provided statistics on the volume of supply chain threats observed, by threat category, and access to our platform and further analyses on thousands of file hashes.

ReversingLabs founder and CEO Mario Vuksan said 2024 marks ReversingLabs’ first year as a Verizon DBIR contributor. 

“The Verizon DBIR is a long-respected and established security report, and we are pleased to have been able to contribute our findings to support its effort. The results are clear: Software supply chain attacks are on the rise, and the ripple effect of each one continues to get bigger. We look forward to working with software development organizations and procurement teams in educating on and addressing this growing attack surface.”
—Mario Vuksan

Here are the key takeaways from the report — and why your company needs to step up your software supply chain security approach.

[ Special Report: The State of Software Supply Chain Security (SSCS) 2024 | Download Report: State of SSCS ]

ReversingLabs data provides deeper view into software supply chain risk

The DBIR is a foundational annual report. Since 2008, it has tapped into Verizon’s substantial resources and footprint within enterprises, and leveraged data supplied by third-party firms, to present a snapshot of the cyber-risk landscape, with a focus on attacks that result in the theft or leaking of sensitive data. 

Past DBIR reports have tread lightly around the topic of software supply chain risks and attacks, focusing on the specifics of incidents such as the Sunburst attack on SolarWinds rather than the bigger picture of supply chain risk. The 2023 Verizon DBIR, for example, was released just prior to the disclosure of the supply chain attack on voice-over-IP vendor 3CX. It contained a detailed discussion of the discovered vulnerability in the Log4j open-source Apache library, active attempts to exploit the Log4Shell vulnerability, and the challenges that end-user organizations faced in assessing their exposure to the Log4Shell exploit.

However, last year’s DBIR made only passing references to larger questions about risks in both open-source and third-party, proprietary software and the need for mitigations such as software bills of materials (SBOMs) that document the software “ingredients” of enterprise applications and services.  

2024 DBIR takes a broader view of third-party risk

The modern landscape of software supply chain risks and threats is reflected in noteworthy changes in the DBIR’s perspective on software supply chain security. For example, Verizon declares in the latest DBIR that the definition of “third-party risk” it adhered to in previous iterations of the report was “pedantic” and that it is adopting “the broadest possible interpretation” of third-party risk, which includes hacks of development pipelines as seen in incidents such as SolarWinds and 3CX. It also includes instances in which vulnerabilities in third-party software were exploited by ransomware gangs, nation-state actors, and others to wreak havoc on enterprise networks and data.

The implications of that shift are clear: Development organizations are at the root of many of the security woes facing both private- and public-sector organizations. They are the source of vulnerable application code. And they enable bad actors by “[taking] it on faith that the libraries [they’re] downloading are free from malware.” 

And yet developers and software producers are not the primary victims of attacks on exploitable code vulnerabilities. Their customers are. “These quality control failures can disproportionately affect the customers who use this software,” the DBIR states. The report wonders whether “the incentives might not be aligned properly for … developers to handle [the] seemingly interminable task” of addressing vulnerabilities in the software they ship to customers. 

In a webinar held by Verizon Business on Wednesday morning to discuss the results of the report, its author, David Hylender, associate director of threat intelligence at Verizon Business, stressed that organizations need to be mindful of the partners they work with in light of the amount of breaches caused by third parties:

“You need to go back to the idea of vetting your vendors to choose the ones you work with based on the track record they have. We’re not throwing stones at vendors — they do a very difficult job — but we do need to try to make wise decisions on who we do business with based on their overall security stance.”
—David Hylender

Report advocates for software producer responsibility, Secure by Design

The clear message of this year’s DBIR is that security operations and risk management teams need to shift their thinking and assumptions about the sources of cyber-risk and adverse events to adopt a more holistic approach. 

The DBIR calls attention to the “love story between zero-day vulnerabilities and ransomware threat actors” while also lamenting the long delays that are typical in getting exploitable holes patched. The DBIR said it takes 55 days to remediate 50% of the critical vulnerabilities on CISA’s Known Exploited Vulnerabilities (KEV) list, with 8% of those still unpatched a year after their discovery. That puts end-user organizations in an impossible position. 

In the 2024 DBIR report, Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said that the goal of organizations should be “to shift away from focusing on individual vulnerabilities and to instead consider the issue from a strategic lens.” That should include focusing on “recurring classes of software defects” and “inspiring developers to improve the tools, technologies, and processes and attack software quality problems at the root.”

To help make that happen, the DBIR report calls on enterprises to hold their software vendors “accountable for the security outcomes of their product, even if there is no regulatory pressure on those vendors to do better.” Additionally, the DBIR authors said that they will join that chorus: “emphasiz[ing] this point going forward by expanding our third-party involvement in breaches metric to also account for the exploitation of vulnerabilities.”

The report also directs software development organizations and those involved in software procurement to familiarize themselves with the Secure by Design guidance compiled by CISA and 17 other partner organizations:

“If there ever was a clear time to make a statement by prioritizing this elegant solution to a growing threat, this is it. We can see the costs of not acting all too well.”

This 2024 DBIR marks a shift in both focus and tone from 15 previous Verizon Business reports, with software supply chain risk newly presented in sharp relief and the endemic problem of poor security practices by software producers and the impossible situation of end-user organizations both highlighted. The DBIR joins a growing chorus of calls for increasing transparency and accountability for software security, which should prompt all organizations large and small to up-level their software supply chain security approach.

*** This is a Security Bloggers Network syndicated blog from ReversingLabs Blog authored by Paul Roberts. Read the original post at: https://www.reversinglabs.com/blog/verizon-2024-dbir-software-supply-chain-risks-fuel-a-data-breach-epidemic