Software Supply Chain Failures

More than 90% of organizations have experienced a software supply chain incident in the past 12 months, according to research by Enterprise Strategy Group (ESG). Gartner even expects the costs of such attacks to rise to $138 billion per year globally by 2031. Multiple studies show comparable figures.

The leading OWASP (The Open Worldwide Application Security Project) has placed software supply chain failures as a new category at position 3 in their Top 10 for 2025. All signals to delve deeper into this development.

What are software supply chain failures?

A software supply chain failure occurs when a vulnerability, error, or malicious manipulation in the software chain leads to risks or incidents for customers. This can happen at various points in the chain, for example

• During software development (insecure code, vulnerable libraries)
• In update processes (compromised updates)
• Through third-party dependencies (open source packages, APIs)
• Due to inadequate patch and vulnerability management by suppliers

The characteristic of this risk is that you are affected without directly doing anything ‘wrong’ yourself.

Why are these risks increasing?

There are multiple developments that structurally make software supply chain failures more likely. First, software is becoming increasingly modular. Modern applications consist of dozens to hundreds of external components and open source libraries. Each additional dependency increases the risk.

Additionally, suppliers are automating their deployment and updates. This increases speed but makes abuse extra scalable—a malicious update spreads rapidly. Finally, attackers are increasingly targeting suppliers with many customers. The return on one successful attack is simply greater than individually hacking end organizations.

Known examples

If you consult search engines, you will encounter a long list of incidents. The following examples have received more than average extensive news coverage.

• SolarWinds (2020): One of the most well-known examples, where attackers infiltrated the “Orion” network management software and installed a backdoor through an automatic update at thousands of customers, including US government agencies.
• Log4j / Log4Shell (2021): A critical vulnerability in a widely used, open-source Java logging library. Because this library was embedded in countless applications, attackers could take over servers on a large scale.
• Ivanti has repeatedly been targeted by advanced attackers in recent years. In 2023 and 2024, critical vulnerabilities were actively exploited by state actors. In 2025, new critical vulnerabilities have been discovered to gain control over corporate devices without login credentials. Researchers point out that the abuse stems from how Ivanti implements open-source components and fails to keep them up-to-date.

The impact on organizations

The consequences of software supply chain failures for your organization naturally depend heavily on your organization’s dependency on this software and how serious the disruption is.

The primary direct impact may sometimes seem small, while the consequential damage can be significant. In the case of Ivanti abuse at the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr), this even led to accountability in the House of Representatives.

For many organizations, it is particularly painful that they had little insight into the underlying software chain and only gained clarity after the damage was already done.

Why traditional supplier assessments fall short

Many organizations still rely on annual questionnaires, certifications, or contractual agreements. While useful, these tools fall short with dynamic software chains that can change every few weeks.

Questionnaires are snapshots—they say little about current vulnerabilities and provide no insight into technical dependencies. Software supply chain risk requires continuous monitoring and objective signals, not just paperwork.

Effectively dealing with software supply chain failures requires a different approach:

• Inventory which software suppliers are critical to your processes
• Map technical dependencies and digital chains
• Continuously monitor suppliers for vulnerabilities and incidents
• Combine technical signals with risk context
• Ensure clear internal responsibilities

The goal is not to eliminate every risk, but to recognize early signals and limit impact.

Software supply chain failures and RiskStudio

Within RiskStudio, software suppliers form an explicit part of supply chain monitoring. By continuously profiling companies and software suppliers based on their digital profile, vulnerabilities, and incidents, a current picture of software supply chain risk emerges.

Instead of isolated assessments, RiskStudio provides continuous insights, benchmarking, and alerts, enabling organizations to react proactively when a software supply chain failure

Conclusion

Software supply chain failures are no longer exceptional incidents but structural risks in modern digital ecosystems. Organizations that rely on static assessments are lagging behind the facts. Only with continuous monitoring, insight into dependencies, and context-driven risk analysis does real control over the software chain emerge.

References and sources:

• OWASP – OWASP Top10:2025
• ESG 2024 – Research Report: The Growing Complexity of Securing the Software Supply Chain
• Gartner 2024 – Leader’s Guide to Software Supply Chain Security
• House of Representatives – Incident at the Data Protection Authority and the Council for the Judiciary