Software Supply Chain Security Predictions: Hits & Misses from 2024
As 2025 approaches, it’s time to revisit our 2024 software supply chain security predictions to see how they held up.
Michael Lieberman
December 29, 2024
.png)
2025 is coming up fast, so I’ll have predictions coming soon. Before we get there, here’s a reflection on my 2024 Software Supply Chain Security predictions with grades based on what really happened. Let's dive in and see how things evolved.
Software build disclosures and attributions will be paramount
Grade: A-
Evidence: There’s been lots of industry discourse about software supply chain transparency this year. Reports from associations, like Cloud Native Computing Foundation (CNCF), Open Source Security Foundation (OpenSSF), and the Linux Foundation have noted the exacerbated risk from limited visibility into third-party dependencies and proprietary vendor software. Attestations and SBOMs (Software Bill of Materials) are in greater use. Best practices adoption is on the rise, per the recently updated Software Supply Chain Security Best Practices (v2) white paper.
Security and development teams will deepen collaboration
Grade: B+
Evidence: There’s been definite traction in DevSecOps adoption, focusing on security earlier in the development cycle. Responsibilities between security and development teams are evolving and being invested in, per the GitLab 2024 Global DevSecOps Report. Larger organizations and those in regulated industries with security mandates have embraced DevSecOps practices, but they are not widespread among smaller companies.
Open source AI projects will increase vulnerabilities
Grade: A
Evidence: Several confirmed, well-documented incidents have occurred this year. Recently, Blue Alpha APT exploited Cloudflare Tunnels to bypass security and get to cloud systems. Also, while not AI itself, the Ultralytics compromise is worth mentioning due to its wide-ranging use. The NTT Data Global Threat Intelligence Report 2024 revealed a 600% rise in AI-utilized cyberattacks during the first half of 2024. Capgemini’s Generative AI in Cybersecurity report also supported this prediction, finding that 97% of organizations experienced at least one security breach related to generative AI in the past year. Lastly, phishing emails have had a soaring increase, leading Chief Information Security Officers (CISOs) to express growing concerns over AI-facilitated phishing and deepfake fraud.
AI will help address more complex cybersecurity scenarios
Grade: B
Evidence: Tools like GitHub Copilot X and AI-driven vulnerability scanners have shown improvements this year. They’ve shown to be effective in identifying code vulnerabilities, primarily when it comes to detecting common patterns like misconfigurations and unpatched software. They still need some work when it comes to complex scenarios and context-specific security challenges. Some counter-evidence of late is AI being used (intentionally or not) to overwhelm maintainers with "slop" reports.
Like what you read? Share it with others.
.webp)
.webp)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
Previous
No older posts
Next
No newer posts
Want to learn more?