With the ever-increasing rise of software supply chain attacks, 2025 marks a pivotal year for organizations to step up and lead in managing third-party risks rather than falling behind. According to Verizon’s “2024 Data Breach Investigations Report” attackers increased their use of vulnerabilities to initiate breaches by 180% in 2023 compared to 2022. 15% involved a supplier or third party, such as data custodians, hosting partner infrastructures, or software supply chains.
So, the question remains, “Why aren’t organizations better at managing security risks in the third-party software supply chain?”
Here are my insights and predictions on how organizations can move to a proactive posture over the next year.
Understand The Challenges First
Reflecting on third-party software-related attacks in 2024, several persistent challenges highlight areas where organizations must focus to strengthen resilience:
• Lack of Comprehensive Software Inventory – Many organizations lack visibility into their third-party software: where it’s installed, the key business processes it supports, and its security posture. This absence of context hinders secure configuration, the application of compensating controls, and a risk-based approach to mitigation, leaving software open to exploitation.
• Struggles with Vulnerability Management and Accountability – Keeping pace with newly disclosed software vulnerabilities remains a challenge, exacerbated by unclear accountability between IT teams (managing desktops, servers, and cloud environments) and third-party software users (end users, developers, and business teams). This gap delays patching and limits understanding of software’s role in critical business processes. Until organizations can shift software risk management left—beyond reactive patching—they will remain vulnerable to attackers.
• Challenges with Software Sprawl and Governance – Software sprawl continues to expand the attack surface, making it unpredictable and difficult to defend. Without governance and rationalization of their software inventory, organizations will struggle to manage risk effectively, perpetuating a cycle of reactive defenses against an ever-growing threat landscape.
Now that some of the challenges have been defined, here are a few strategies that organizations can take to tackle third-party software risk in the new year.
Develop A Common Operating Picture Across Various Teams – Without a shared view, teams like Third Party Risk Management, vulnerability management, security architecture, and cyber defense lack alignment and an operational perspective that would:
- Define the problem for specific pieces of software
- Identify collaboration points for managing it
- Quantify risk outcomes in ways that are measurable, testable, and reportable
Visibility alone isn’t enough to get ahead of software security risk, but it’s essential for moving from reactive responses—like vendor notifications and emergency patches—to an organized, proactive posture. While cybersecurity is full of overused military analogies, here’s one that holds true: a common operating picture is essential for effective combined operations. With a unified view, teams can collaborate effectively, and leaders can build structures that enable a coordinated, predictable, and sustainable approach to managing software supply chain risks. None of this is revolutionary thinking for those with experience in enterprise security, but unique insights are needed to power it.
Don’t Rely Solely on Reactive CVE Analysis
Organizations relying heavily on reactive CVE analysis often find themselves overwhelmed by the constant stream of vulnerabilities, many of which lack critical context or relevance to their specific environments. CVE-focused tools, while useful for tracking known issues, can inadvertently contribute to alert fatigue and inflate vulnerability management workloads. Instead of fostering proactive risk reduction, these tools may divert attention from prioritizing the most impactful threats. Shifting to a more strategic approach that focuses on behavioral analytics to uncover hidden security issues in software, can empower teams to address vulnerabilities that matter most and bolster overall security posture.
Enhance Software Security Through Comprehensive Management and Monitoring
• Adopt Rigorous Software Inventories: Maintain comprehensive visibility into all software used within the organization, including third-party and niche applications.
• Embrace Continuous Risk Monitoring: Regularly evaluate software for vulnerabilities, misconfigurations, and behavioral risks.
• Demand Vendor Transparency: Work with software suppliers who prioritize secure SDLC practices and provide detailed Software Bills of Materials (SBOMs) that focus on what vulnerable components are actually in use by the software so that exploitable vulnerabilities can be mitigated.
• Leverage Behavioral Analytics: Monitor software activity to detect abuse of excessive permissions or insecure functionality early, even before exploitation spreads.
Conclusion
In 2025, the ability to understand, rationalize, and govern software risk will become essential for staying ahead of attackers. Organizations that embrace a proactive, unified approach to managing third-party software risks—grounded in visibility, accountability, and strategic prioritization—will not only reduce vulnerabilities but also foster greater resilience.
