After two decades leading enterprise security across critical infrastructure and technology sectors, I’ve observed a dangerous pattern in how we discuss software supply chain attacks. The conversation focuses almost exclusively on risks hiding within open-source software packages. We’ve seen this firsthand through incidents where cybercriminals and nation-state actors leverage open-source code and platforms to their advantage.
Some of the more recent and highly reported incidents include the social-engineered compromise of XZ Utils and the glaring flaw in the Log4j Apache library that was both trivially exploitable and widespread. Beyond these high-profile incidents, many others are lurking in open-source packages.
However, here’s what keeps me up at night: open-source software is not the only risk in software supply chains. It isn’t even the biggest threat to businesses today. That distinction goes to closed-source, commercial software.
Having overseen security for organizations where software failures could impact millions of customers or critical infrastructure, I’ve learned a fundamental truth: while the world runs on open source, your business runs on commercial software. And ignoring these threats isn’t just risky, it’s negligent. In my experience, it may already be impacting your organization right now.
At ReversingLabs, we’ve identified seven critical risks that plague commercial software, or what we call Commercial Software’s Seven Deadly Sins. These include:
Malware
Though less prevalent than the other deadly sins of commercial software, we’ve documented multiple cybercriminal campaigns in the last year that successfully implanted malware in commercial applications. Notable examples include the Justice AV Solutions (JAVS) video surveillance software, which is particularly concerning given its use in courtrooms and government facilities, and iPany, a South Korean-made VPN client.
Our team recently conducted a comprehensive analysis of VPNs, examining 20 distinct versions of VPN clients from six prominent vendors. Of these, seven contained one or more software vulnerabilities that are patch-mandated and/or that are being actively exploited by malware. In one alarming case, a Windows VPN client from a vendor trusted by Fortune 500 companies contained more than 50 distinct CVEs, four of which were identified as being actively exploited by malware, and 12 assigned a “critical” or “high” severity rating. This was software protecting entire remote workforces.
Tampering
Instances of unexplained or malicious tampering are alarmingly common in our scans of commercial software binaries. These range from failed integrity validation checks that flag incomplete or corrupted file content to suspicious callouts to external command-and-control (C2) infrastructure. In my experience leading security operations, these are often the first indicators of a supply chain compromise.
Improperly Implemented Hardening Features
This covers a wide range of security lapses I’ve seen repeatedly across different industries, often linked to hasty development cycles or inadequate security reviews. Examples include poorly implemented address space layout randomization (ASLR) features, inadequate protections against exploits such as buffer overflows, and other security misconfigurations. In critical infrastructure environments, these oversights can have catastrophic consequences.
File Rot
Old and outdated files within modules accumulate like sediment over time. Having analyzed enterprise software portfolios across multiple sectors, I’ve found that older software components are highly sought-after targets for malicious actors. That’s because they often contain both exploitable vulnerabilities and undiscovered security holes, sometimes dating back over a decade.
Exposed Data
This is perhaps the most immediately actionable risk. Commercial software binaries often house significant volumes of sensitive software secrets that threat actors can abuse. Following our analysis of more than three dozen common commercial binaries licensed to enterprises, we found clear evidence of embedded and plaintext credentials, API tokens, private keys, and proprietary information.
One illustrative example from the broader industry is the GitHub Action attack, which affected more than 23,000 repositories. This attack resulted in significant exposure of development secrets essential to the Continuous Integration and Continuous Delivery (CI/CD) processes, with dozens of repositories affected, including some owned by larger organizations. When I see these incidents, I think about the cascading impact. One exposed credential can compromise an entire software supply chain.
Known And Exploitable Or Patch-Mandated Vulnerabilities
ReversingLabs detected more than 100 known, exploitable vulnerabilities (KEV) or patch-mandated vulnerabilities spread across the packages we analyzed. To put this in perspective, in highly regulated industries where I’ve worked, a single unpatched vulnerability could trigger regulatory action. One recent real-world example involved the Ivanti Endpoint Mobile Manager, where hackers breached solution users by exploiting vulnerabilities including CVE-2023-35078 and CVE-2023-35081, allowing unauthenticated attackers to achieve remote code execution.
Licensing Issues
Many commercial software binaries our researchers scanned had licensing compliance issues that could expose organizations to significant legal liability. Code covered by “copyleft” licenses was surprisingly common in commercial products. Having dealt with software audits in enterprise environments, I can attest that licensing violations can result in multi-million dollar penalties and forced infrastructure changes.
The biggest sin of all
Now for the uncomfortable truth. What do these seven sins mean for your business?
If your business runs on commercial software, and after 20+ years in this field, I can assure you it does, the biggest sin would be to continue relying solely on vendor trust, traditional questionnaires, and compliance spreadsheets as your primary means of software risk assessment. In my experience transforming enterprise security programs, this approach is fundamentally broken.
Security teams must develop the capability to identify threats lurking in closed-source software. For larger organizations with hundreds or thousands of software applications, this represents a significant undertaking. But here’s what I’ve learned: it’s not just about the volume of commercial software in your environment. As cyberattacks become increasingly sophisticated and public sector support for tracking software risks wanes, the burden falls squarely on enterprises to develop new methods for gaining visibility into the components, services, and risks hidden within today’s software ecosystem before deploying them.
The path forward is clear: implement binary analysis as a technical control. Just as we don’t accept financial statements without an audit, we shouldn’t accept software without verification. At ReversingLabs, we’ve analyzed over 50 billion files,more than 10 times the volume of our closest competitor,and what we’ve found should concern every security leader reading this.
The question isn’t whether your commercial software contains these seven deadly sins. It’s which ones are present in your environment right now, and what you’re prepared to do about it.
Saša is the chief trust officer (CTrO) at ReversingLabs, and operating partner at Crosspoint Capital, with approximately 20 years of Fortune 10 global executive leadership experience. His CTrO scope includes leadership, oversight and governance of the CISO/CSO function, including product security, as well as partnering with other leaders on corporate and product strategy, strategic partnerships and research, and customer and technology advisory boards, including sponsoring the ReversingLabs CISO Council.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.