Software Supply Chain Security Predictions for 2025
This year, we focus on the evolving role of AI, pressing software security concerns, and emerging regulations.
Michael Lieberman
January 13, 2025
As we make our way into 2025, the focus on software supply chain security intensifies. For this year’s Software Supply Chain Security predictions, we focus on the evolving role of AI, pressing software security concerns, and emerging regulations.
1. Enhanced Integration of SBOMs, SLSA, and Attestations in Open Source Ecosystems
Open source software distributors are increasingly embracing Software Bill of Materials (SBOMs), Supply Chain Levels for Software Artifacts (SLSA), and attestations. This integration will enable greater confidence among software consumers, empowering them to address risks and answer critical questions about their software stack.
This shift will also establish a crucial feedback loop for identifying and addressing gaps in SBOMs and attestations, enriching the ecosystem over time. By fostering transparency and accountability, these advancements will strengthen trust in open source solutions.
2. A Critical AI Vulnerability Could Mirror Log4j
Artificial intelligence is undeniably transformative, but it’s in a precarious position. AI solutions are valuable yet expensive, leading some businesses to adopt them hastily without fully assessing usability or cost-effectiveness.
This rushed approach could lead to vulnerabilities akin to the infamous Log4j incident. While it’s uncertain whether a breach of similar magnitude will occur, the XZ attack and other large-scale incidents in 2024 underscore the growing risks.
On the positive side, organizations are improving their preparedness. They’re leveraging SBOMs, maintaining comprehensive inventories of deployed assets, and adopting robust security tools like those offered by OpenSSF. These measures may help mitigate the impact of any significant vulnerabilities.
3. The Rising Threat of Data Poisoning in Large Language Models (LLMs)
One of the most concerning trends is the increasing sophistication of data poisoning attacks targeting large language models. These attacks manipulate LLMs or corrupt training data, exploiting the lack of transparency in many pre-trained models freely available online.
A notable example occurred with Hugging Face in 2024, where more than 100 LLMs were found to contain hidden backdoors capable of executing malicious code. While such attacks require more resources than simpler methods, their stealth makes them harder to detect and address. This trend signals a pressing need for greater vigilance and transparency in the AI supply chain.
4. Attackers May Outpace Defenders Without Proactive Measures
Cyber attackers, driven primarily by financial incentives, continue to outpace defenders, who often lack adequate resources. Security isn’t typically viewed as a revenue generator, leading to underinvestment in protective measures.
It may take a major AI supply chain breach, akin to the SolarWinds Sunburst incident, to prompt widespread adoption of proactive and holistic security strategies. Until then, defenders must push for greater budgets and innovative approaches to stay ahead of increasingly sophisticated threats.
5. Regulatory Changes to De-Risk Open Source Software
Supply chain attacks remain a persistent issue, affecting both proprietary and open source software. While open source isn’t inherently riskier, it faces unique challenges due to evolving government regulations.
In 2025, these regulations, such as the Cyber Resilience Act (CRA), will drive significant investments in de-risking open source software. Large organizations will take on greater responsibility, evolving into trusted intermediaries accountable for supporting the open source projects underpinning their enterprise solutions.
This shift could transform how the industry approaches open source security, fostering collaboration and shared accountability.
A Look Ahead
Our predictions underscore the importance of proactive, collaborative, and innovative approaches to tackling the evolving threat landscape. By anticipating threats rather than merely reacting to them, organizations can better safeguard their systems, protect sensitive data, and mitigate risks.
Read more about how Kusari can help.
Like what you read? Share it with others.
.webp)
.webp)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
Previous
No older posts
Next
No newer posts
Want to learn more?