Next-Generation Technologies & Secure Development , Secure Software Development Lifecycle (SSDLC) Management , Video

Forrester Expert Explores Latest Supply Chain Attack Trends

Attackers Upping Their Game, Injecting Malware Code Directly Into Victims' Systems
Janet Worthington, senior analyst, Forrester (Image: Forrester)

Supply chain attacks have evolved from exploiting organizations that haven't patched vulnerabilities in open-source libraries to proactively targeting victims with malicious code.

See Also: OnDemand | The Evolution from DAST to IAST: Take AppSec Testing to the Next Level

Next-generation software supply chain attacks either inject poisoned code directly into a victim's system or get a company to download a piece of software that has vulnerable code in it, said Forrester Senior Analyst Janet Worthington. Adversaries are increasingly using typosquatting and dependency confusion to disguise malicious packages in code repositories and trick users into downloading them, she said (see: BlueVoyant CEO on How to Remediate Supply Chain Defense Bugs).

"Attackers are actually finding ways to get malicious code into the victim's system through these open-source libraries," Worthington said. "It behooves everybody to make sure that they're following good software supply chain practices because all you need is a little tiny cog in that big chain to get compromised and then you, as a large organization, will be a target for attack."

In this video interview with Information Security Media Group, Worthington also discusses:

  • How the SolarWinds and Log4j hacks reshaped the supply chain security market;
  • To what extent cybercriminals mimic the supply chain tactics of nation-state actors;
  • How startups and established vendors intend to help address supply chain risk.

Worthington advises security and risk professionals on product security, proactive security design, securing new development methods, security testing in the software delivery life cycle, and collaboration between security, development and product management. Prior to joining Forrester in December 2021, she was a senior product manager at Robin. Before that, she spent seven years at Veracode. As a security program manager, she helped Fortune 100 companies roll out application security programs across their organization, and she has led software quality assurance, release engineering and project teams at a number of startup technology companies.


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.