Supply Chain and Vulnerability Data Gaps Undermining Security Programs
A recent ISC2 survey of over 1,000 cybersecurity professionals highlights growing concern about the risks introduced by expanding vendor ecosystems and supply chain sprawl. Nearly 70% of organizations are worried about third-party supplier risks, with the highest concern in enterprises and sectors handling sensitive data such as finance and government. Lack of visibility into vendor and subcontractor security practices remains a critical challenge, with many organizations relying on trust rather than verification. One in three respondents reported experiencing a vendor-related security incident in the past two years, yet almost half did not feel a direct impact, raising questions about continuity and the reliability of vendor security claims.
Compounding these risks, a Sonatype analysis reveals that the vulnerability scoring infrastructure, particularly the NVD and CVE programs, is failing to keep pace with modern software development practices. In 2025, 64% of open source CVEs lacked a CVSS score in the NVD, forcing security teams to make risk decisions with incomplete data. Discrepancies in severity ratings and significant delays—averaging six weeks between disclosure and scoring—undermine the effectiveness of automated security tools and response cycles. These gaps in both supply chain visibility and vulnerability intelligence are eroding confidence in the data that underpins security programs, increasing the likelihood of both missed threats and wasted resources.
Sources
Related Stories
Escalating Software Supply Chain Security Risks and Industry Response
Recent high-profile incidents such as the SolarWinds, MOVEit, and Log4Shell breaches have underscored the critical vulnerabilities present in the software supply chain, prompting organizations to prioritize third-party risk management and supply chain security at the executive level. Security leaders now recognize that every external dependency, from open-source libraries to SaaS platforms, represents a potential attack vector, with 69% of organizations reportedly impacted by a supply chain security event in the past year. The MOVEit and SolarWinds attacks, in particular, demonstrated how a single compromised vendor can trigger widespread data breaches and operational disruptions across thousands of downstream organizations. In response to these threats, companies are increasingly adopting third-party risk management tools and modern application security practices to monitor and secure their extended digital ecosystems. Industry reports highlight a gap between awareness and implementation of foundational security controls, with many organizations failing to mandate essential protections despite acknowledging the risks. Regulatory bodies such as CISA have also identified supply chain attacks as one of the most persistent and damaging threats, emphasizing the need for proactive, holistic risk management strategies that extend beyond internal systems to encompass the entire vendor ecosystem.
4 months ago
Industry reports highlight growing software security debt and DevSecOps supply-chain exposure
Recent industry reporting based on *Veracode’s 2026 State of Software Security* findings indicates **security debt**—defined as known vulnerabilities left unresolved for more than a year—has become a widespread governance and risk-management issue for CISOs. Across analysis of **1.6 million unique applications** assessed via static/dynamic analysis, SCA, and penetration testing, Veracode reported security debt present in **82% of organizations** (up from 74% in 2025) and **critical security debt** in **60%** (up from 50%), reflecting that long-lived, high-severity/high-exploitability issues are increasingly persisting across release cycles, particularly in legacy or high-dependency code where teams are reluctant to make changes. Separately, *Datadog’s State of DevSecOps 2026* reporting describes software supply-chain and pipeline practices that sustain this exposure in cloud-native environments: **87% of organizations** were observed running at least one exploitable vulnerability in production services, affecting **40%** of those services. The report highlights growing dependency lag (median **278 days** behind the latest major version, up from 215 days) while also noting a countervailing risk pattern where **half of organizations** adopt third-party libraries within **one day** of release, increasing the chance of ingesting malicious or insufficiently vetted code; it also flags build/pipeline surface area (e.g., widespread GitHub Actions usage) as part of the broader DevSecOps risk picture.
2 weeks agoPersistent Software Weaknesses Highlighted by MITRE and the Role of Vulnerability Databases
MITRE’s 2025 CWE Top 25 Most Dangerous Software Weaknesses report reveals that foundational coding errors, such as cross-site scripting and SQL injection, continue to be the primary causes of real-world breaches. Despite advancements in security tools, DevSecOps practices, and increased awareness, the same core weaknesses are repeatedly exploited, underscoring a systemic failure to address root causes in software development. The report emphasizes that organizations focusing solely on patching individual CVEs without addressing underlying CWEs remain vulnerable to recurring threats, as these weaknesses represent the fundamental flaws attackers leverage most frequently. Vulnerability databases play a critical role in cataloging known software vulnerabilities, but they are not comprehensive and often suffer from delayed updates and incomplete coverage. Transparency in vulnerability disclosure is essential for trust, yet many vulnerabilities remain unregistered due to complex reporting processes and disincentives for public disclosure. Security professionals are advised to use vulnerability databases as one tool among many, recognizing their limitations and the importance of proactive security testing and defense-in-depth strategies to mitigate risks from persistent software weaknesses.
2 months ago