These sophisticated attacks are difficult to detect and mitigate. Lewis said organizations should focus on cyber resilience over prevention because history has shown attackers won't be stopped all the time. He also recommended organizations implement microsegmentation to make lateral movement and data exfiltration more difficult for adversaries.
The number of open source software attacks has grown rapidly, with supply chain management vendor Sonatype tracking more than half a million new malicious packages since November 2023.
The Open Source Security Foundation (OpenSSF), a community of software and security engineers, predicted open source software attacks will continue to rise in 2025.
Part of the challenge is developers aren't always trained in security, said Christopher Robinson, chief security architect at OpenSSF. And many organizations don't properly vet their applications, he added. Rather they just "blindly take in components" that could subject themselves and their customers to vulnerabilities.
To mitigate issues, Robinson recommended requesting vendors' software bills of material to understand the components of their software and conducting fuzzing, source code analysis and vulnerability scanning to assess software security. Companies and vendors should also report and share potential security issues to keep others and the open source community informed, he added.
As the number of open source supply chain attacks increases, expect regulations to follow. Robinson said OpenSSF is already working on open source regulation with the European Commission and has heard Japanese and Indian governments are considering similar legislation.