Skip to main content

Fragile by Design: Large-Scale Evidence of Supply Chain Risk

Thomas Pace
Co-Founder and CEO, NetRise

The software supply chain is under unprecedented scrutiny, and the risks are deeper than most realize. To showcase the challenges in obtaining accurate and comprehensive SBOMs and the associated risk, our research team analyzed millions of binary image artifacts: firmware, containers, mobile and desktop applications, virtual machines, and cloud workloads.

The findings are unexpected and worrisome. 88% of firmware images analyzed contained at least 100 known vulnerabilities. More than half included hardcoded credentials that could easily be cracked. Nearly one-third exposed private keys or high-severity misconfigurations, and over 60% referenced outdated or unsupported open-source components. These aren’t isolated mistakes—they’re systemic patterns showing how fragile the supply chain has become.

These findings were not limited to one sector. Windows applications, industrial control systems, networking equipment, IoT devices, enterprise servers, and containers all showed similar trends. By examining the compiled code rather than relying solely on manifests or package metadata, the research highlighted risks that source-code analysis tools fail to capture.

Areas of focus in this session:

  • The scope and methodology of the analysis: large-scale binary composition analysis and artifact correlation.
  • The types of artifacts identified: vulnerabilities, credentials, certificates, keys, misconfigurations, provenance data, and runtime components.
  • Cross-sector trends in how software is built and shipped, and how these practices create systemic exposures.
  • The implications of correlated and aggregated findings not only for product development organizations, but also for third-party risk in global enterprises in regard to the overall fragility of the supply chain.

Attendee takeaways:

  • A data-backed view of the fragility of the software supply chain, supported by real-world statistics.
  • Why source code declarations and AppSec tools reflect intent, but compiled binaries expose reality.
  • How patterns in vulnerabilities, secrets, and outdated libraries recur across different industries.

Practical lessons for security leaders, researchers, and policymakers on building software assurance rooted in evidence, not assumptions.

Cookie Consent

We use cookies to improve your experience and for analytics.
Privacy Preferences
I use cookies to ensure the basic functionalities of the website and to enhance your online experience. You can choose for each category to opt-in/out whenever you want. For more details relative to cookies and other sensitive data, please read the full privacy policy.
Essential cookies
Required
Marketing cookies
Analytics cookies
Personalization cookies