Application security, Third-party code, Critical Infrastructure Security, Supply chain

Software supply chain threats are finally on the OWASP Top 10

Supply chain vulnerability being exploited through a cyber attack on text code in an editor.

(Adobe Stock)

COMMENTARY: Software supply chain security is steadily moving to the forefront of cybersecurity conversations. In the past, it has been overshadowed by a focus on malware outbreaks, ransomware, endpoint protection, and application vulnerabilities. That changed this month, when OWASP elevated software supply chain failures to third place on its 2025 Top 10 list. The OWASP Top 10, compiled based on a global consensus of security experts and industry data, is recognized as a leading benchmark for identifying the most critical application security risks.

The update is a long-overdue recognition that adversaries no longer occasionally exploit the software supply chain but are actively targeting it. The 10th Annual State of the Software Supply Chain report noted: “What was once a relatively niche method of attack has evolved into one of the most significant cybersecurity threats today.”

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

As organizations deepen their reliance on open-source components and embrace AI-enabled development, software supply chain risks will become more prevalent. In the OWASP survey, 50% of respondents ranked software supply chain failures number one. The awareness is there. Now the pressure is on for software manufacturers to enhance software transparency, making supply chain attacks far less likely and less damaging.

You can’t secure what you don’t see

Every major supply chain incident exposes that most organizations don’t know exactly what’s inside their own software. Dependency trees run deep. Components are swapped, reused, and inherited across generations of products. Firmware in critical equipment often contains code written a decade ago, maintained by developers who have long since moved on.

Attackers only need one forgotten open-source component from 2014 that still lives quietly inside software to execute a widespread attack. The ability to cause widespread damage by targeting the software supply chain makes these vulnerabilities alluring for attackers. Why break into a hardened product when one outdated dependency — often buried several layers down — opens the door with far less effort?

Related reading

The SolarWinds software supply chain attack that took place in 2020 demonstrated the access adversaries gain when they hijack the build process itself. The Log4j vulnerability showed how a single overlooked library can set the global cybersecurity community scrambling for weeks. GlassWorm malware revealed just how quickly a vulnerability can be weaponized at machine speed.

The fundamental issue, then, is the lack of software transparency across internal source code, third-party vendors, open-source libraries, and, now, AI-generated code.

Next steps: Know your software

Transparency is what will allow organizations to address software supply chain risk. Achieving that transparency starts with several steps.

Map Your Full Dependency Graph: It’s not enough to know your top-level packages. Attackers exploit the forgotten dependencies six layers deep. Build visibility into your complete dependency tree to identify inherited risk.

Generate Software Bills of Materials (SBOMs) at Build-Time: SBOMs should be generated automatically during every build, not retroactively after software ships. Build-time generation provides visibility into exactly which components are compiled into products for an accurate picture of software components and dependencies.

Demand Continuous Transparency from Suppliers: SBOMs should not be a one-time deliverable. Require ongoing component updates, vulnerability notifications, and attestations from your vendors, integrators, and service providers. The security posture of your suppliers is just as important as your own.

Treat Legacy Code as a First-Class Risk: “Stable” legacy components often go uninspected for years. These aging libraries, firmware blocks, and third-party binaries frequently contain memory-unsafe constructs and unpatched vulnerabilities that could be exploited. Be sure to review legacy code and not give it the benefit of the doubt.

Scan for Vulnerabilities Regularly: With an SBOM in hand, generated at every build, you can scan software for vulnerabilities and remediate issues before they are exploited. In the event of an attack, you can use your SBOM to quickly identify compromised software components.

Incorporate AI-Generated Code Into Your Governance: AI accelerates development, but it can also introduce insecure or unvetted patterns. Treat AI-generated code as an external supply chain input and inspect, track, and verify it.

Make Software Transparency a Cultural Expectation: Tools matter, but culture determines success. Build a development environment where SBOMs, component hygiene, build integrity, and Secure-by-Design thinking are defaults.

OWASP took an important step, now the industry must take one too

OWASP is correct to elevate supply chain security as a root cause of software weaknesses today. It forces global recognition of what security teams have been seeing for years, and highlights that software trust is as important as software function.

Now the responsibility shifts to manufacturers, integrators, developers, and operators to confront the risk head-on. That means building transparency into the software creation process, embracing Secure-by-Design principles, and reducing the unmanaged legacy components that quietly accumulate over time.

Joseph M. Saunders

Joe Saunders is founder and CEO of RunSafe Security. He leads a team of former national security cyber experts on a mission to make critical infrastructure safe. Working with companies such as Lockheed Martin, GE Vernova, and Vertiv as well as the US Army, US Navy, US Air Force, and dozens of other organizations, RunSafe Security identifies risk in your software supply chain, prevents exploitation of embedded systems, and monitors software for indicators of compromise and bugs.  

Joe is also Chairman of Ask Sage, a cloud-agnostic and large-language-model-agnostic platform transforming how government and business operate. He previously served as a management consultant at PricewaterhouseCoopers, a director at Thomson Reuters Special Services, and a member of the management team at TARGUSinfo (sold to Neustar for $800M).

Joe is a frequently sought-after speaker and panelist, regularly asked to author articles on cybersecurity, artificial intelligence, and geopolitics. He is particularly interested in the implications of technological competition, economic coercion, and international security for the transformation of the international order. He is the founder of the International Resilience Institute, a 501(c) (3) non-profit that is building the Global Resilience Index to quantify power and coercion among nation-states.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BannerBrowserCache CrammingCommon Gateway Interface (CGI)ClientCookieDLL InjectionDynamic Link Library

You can skip this ad in 5 seconds