With attackers targeting the supply chain to expand their reach, developers need a comprehensive approach beyond SBOMs and tracking CVEs.

The speed and volume of modern software development leads developers to pull code from many sources. The result is open source software (OSS) supply chains that are increasingly important and also ever more challenging to manage. Cloud-native environments add complexity to an already difficult situation.
Software Composition Analysis (SCA) is an important piece of any OSS security approach, but with threat actors finding ways to infect even trusted OSS packages, SCA is not enough. The right solution should automate security scanning, provide malicious package detection, monitor contributor reputation, and deliver advanced behavior analysis to assess whether a package has become malicious.
This ESG Showcase solution brief delves into the challenge of finding a comprehensive approach to open source supply chain security. It considers:
  • The complexity of cloud-native software supply chains
  • Going beyond basic SCA to secure your supply chain
  • The Checkmarx approach to fully integrated, proactive open source Supply Chain Security

Some key findings include:

  • ESG research shows that modern codebases are heavily dependent on open source.
  • 35% of respondents said 50-75% of their codebase is pulled from open source.
  • Less than half of respondents reported that their organization currently uses security controls for OSS.