Cybersecurity

Securing software supply chains: how to safeguard against hidden dependencies

Regulation has served as an important driver of software supply chain resilience.

Regulation has served as an important driver of software supply chain resilience.

Image: Getty Images/iStockphoto

This article is part of: Centre for Cybersecurity
  • With increased reliance on third-party software suppliers and open-source software, businesses face an uphill battle in securing their software environments.
  • High-profile breaches like SolarWinds highlight the potentially devastating effects of compromised software dependencies.
  • While regulations have become a key driver for addressing vulnerabilities, it is critical for organizations to adopt proactive strategies derived from best practices and learnings from past incidents.

As the increase in connectivity and rapid innovation continues, organizations are becoming increasingly dependent on software products, services and providers. Modern software applications are rarely built entirely from custom code; instead, they integrate a mix of open-source components, APIs, libraries, plug-ins, configurations and cloud infrastructure. Open-source software (OSS) now makes up an estimated 70-90% of any given software package.

This growing dependence adds complexity, reduces direct control over software environments and introduces new security vulnerabilities. In today’s digital world, these challenges extend beyond IT into operational technology and industrial systems, magnifying the risks for critical infrastructure industries such as energy, healthcare, or food and agriculture.

High-profile software supply chain breaches in recent years have underscored the risks of complex interdependencies, revealing the potential for ecosystem-wide disruptions. In 2019, the SolarWinds breach impacted over 30,000 organizations, including several US government agencies. Often referred to as one of the most significant cybersecurity breaches in history, attackers compromised SolarWinds’ development environment and embedded malicious code into software updates distributed to thousands of customers worldwide. On average, affected companies lost 11% of their annual revenue.

The July 2024 IT outage further highlighted the disruptive potential of supply chain incidents. A flawed update to a cloud-based security software triggered malfunctions in 8.5 million Microsoft Windows devices, disrupting airlines, banks, broadcasters, healthcare systems and payment infrastructure worldwide.

The list of high-profile software supply chain incidents is long, including the infamous Log4j and MOVEit vulnerabilities, all of which underscored the potentially far-reaching ripple effects and severe consequences of compromised software dependencies.

Supply chain dependencies top the list of current cybersecurity concerns.
Supply chain dependencies top the list of current cybersecurity concerns. Image: WEF

Key challenges in securing software supply chains

Modern software depends on a network of interconnected components. A single compromised dependency can trigger cascading security issues throughout an entire ecosystem. The Global Cybersecurity Outlook 2025 demonstrated that vulnerabilities arising from complex supply chain interdependencies are a primary concern for business and cyber leaders. In fact, even organizations with robust security measures struggle to manage and oversee these dependencies effectively. Key challenges include:

  • Third-party weaknesses. Weak security practices among third-party providers can expose the entire supply chain. If a third party is compromised, it can act as an entryway for malicious actors to an entire network of customers.
  • Unpatched vulnerabilities in open-source components. Open-source components can contain known vulnerabilities that remain unpatched. A study revealed that 84% of codebases include at least one known open-source vulnerability. Additionally, inadequate maintenance of OSS components can leave them outdated and susceptible to exploitation.
  • Malicious code insertion. The open nature of OSS ecosystems can make them a target for attackers who intentionally introduce malicious code. This can compromise software at its source or during distribution.
  • AI data poisoning. In recent discussions, AI data poisoning has been compared to traditional software supply chain attacks. With the increasing AI adoption, many organizations rely on externally developed and trained models, which can be susceptible to "data poisoning" attacks. These occur when threat actors corrupt the training data, compromising the AI’s outputs and potentially impacting interconnected systems within an organization.

Regulation as a driver for resilience

Regulation has served as an important driver of software supply chain resilience. According to the Global Cybersecurity Outlook 2025, 78% of CISOs and 87% of CEOs identify improving security posture and mitigating cyber risks as primary motivations for adopting new regulations.

Globally, regulators and policy-makers have accelerated efforts to implement requirements on certifications, reporting and accountability, fostering greater trust and resilience across the software supply chain. The EU Cyber Resilience Act (CRA), for example, mandates third-party supplier assessments, continuous software monitoring, vulnerability scanning and transparent Software Bill of Materials (SBOM), with non-compliance penalties of up to €15 million or 2.5% of an organization’s global revenue. In the United States, Executive Order 14028 enforces secure development practices, with standards established by agencies like NIST and CISA.

Actions for secure software supply chains

However, to effectively address software supply chain issues, organizations need to go beyond implementing regulation and adopt proactive strategies derived from best practices and learnings from past incidents. Actions that have shown to be key include:

  • Secure coding practices. To mitigate internal development risk, it is key to implement foundational principles that minimize vulnerabilities and integrate security into the development process, making the software resilient against potential threats. Ensure that all open-source components come from trusted sources and set guidelines for their use. Clear responsibility for software security needs to be established, with mechanisms for accountability in place to ensure developers follow secure coding practices.
  • Software Bill of Materials (SBOM). To enhance transparency and visibility, SBOMs provide a comprehensive list of all components used in software, ultimately helping an organization to identify potential security risks.
  • Continuous monitoring. It is key to regularly scan for vulnerabilities and keep all software components up to date. AI can be a helpful tool in doing so, used for proactive monitoring, identifying vulnerabilities, detecting threats early, and reducing time-to-market pressures that often compromise secure development practices.
  • Strengthened vendor management and risk assessment. Organizations must implement robust vendor management practices, conduct thorough risk assessments, and ensure that third-party providers adhere to strong security protocols. Regular auditing and proactive assessment and monitoring are key for mitigating potential risks. Limiting access to sensitive parts of the software supply chain can further help to reduce the risk of unauthorized access.
Cyber resilience is an organization’s ability to minimize the impact of significant cyber incidents on its primary goals and objectives.
Cyber resilience is an organization’s ability to minimize the impact of significant cyber incidents on its primary goals and objectives. Image: WEF

Adopting a resilience mindset

While these practices can reduce the likelihood of incidents, the reality is that even the most secure organizations cannot completely prevent software supply chain breaches. This is especially true when it comes to third parties, where fully eliminating or adequately mitigating risks across an extensive network of suppliers and vendors is often unfeasible.

Discover

How is the Forum tackling global cybersecurity challenges?

However, organizations can reduce the impact of incidents by adopting a cyber resilience approach. By anticipating and planning for software supply chain incidents, organizations can leverage a comprehensive toolbox of methods to prepare for, detect, withstand and recover as quickly as possible – eventually minimizing downtime, safeguarding critical assets, including stakeholder trust, reputation and financial performance, and enabling growth in the long term.

Ultimately, in face of the growing software supply chain risks, building robust cyber resilience has become critical for organizations to effectively prepare for current and future cyber challenges.

Accept our marketing cookies to access this content.

These cookies are currently disabled in your browser.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Share:
World Economic Forum logo

Forum Stories newsletter

Bringing you weekly curated insights and analysis on the global issues that matter.