A nine-month study by OX Security has revealed that 95% of organizations have at least one vulnerability in their software supply chain that can be categorized as high, critical, or apocalyptic, DevOps reports.
The analysis covering over 100 million alerts, thousands of code repositories, and 140,000 applications utilized the Open Software Supply Chain Attack Reference framework. It found that each organization has an average of nine critical issues, with common vulnerabilities including command injection at 15%, sensitive data in log files at 12%, and cross-site scripting accounting for 11% of flaws. In addition, one application out of every five contains runtime exposure.
Around 36% of applications were vulnerable to initial access exploits, and 20% were susceptible to Persistence or Execution exploits. The most prevalent software supply chain attack techniques identified were backdoors into code at 31%, over-privileged user accounts at 29%, and command injection at 27%. OX Security said application security teams face an overwhelming number of alerts, averaging 119,000 annually across 129 applications, and emphasizes the need for automation to correlate alerts and reduce volume by over 97%.
