DevSecOps in Practice

The Rising Threat of Dependency-Based Attacks

Software supply chain attacks have surged in recent years, with a 742% average annual increase according to Sonatype. A major factor driving these attacks is the widespread use of vulnerable dependencies, with 1.2 billion downloads of insecure packages occurring monthly. One of the most concerning risks is dependency confusion, where attackers publish malicious packages mimicking internal libraries, a vulnerability affecting nearly 49% of organizations.

Recent high-profile incidents highlight the severity of these attacks. The MOVEit data breach in 2023 compromised nearly 100 million individuals due to a vulnerability in file transfer software. Similarly, the Log4Shell vulnerability in 2021 exposed thousands of organizations to remote code execution attacks due to flaws in the widely used Log4j library. Shockingly, 18% of all attacks in 2021 targeted vulnerabilities first discovered in 2013 or earlier