Home Innovation DevOps DevOps Faces New Challenge as ...

DevOps Faces New Challenge as Commercial Software Matches Open Source in Risk

DevOps

Business Honor
16 April, 2025

Exposed secrets and vulnerabilities highlight the urgent need for deeper software supply chain security.

A recent ReversingLabs report has raised significant cause for concern about commercial software security in the software supply chain, revealing that commercial software is no more immune to vulnerability than its open-source counterparts. DevOps teams take the implications to emphasize the need for enhanced security practices in both proprietary and open-source tools integrated into modern development pipelines.

The research involved scans of over two dozen commercial software binaries including operating systems, password managers, web browsers, and VPNs. All of these received failing security scores as they had open secrets, exploitable vulnerabilities, proof of code tampering, and subpar application hardening. Interestingly enough, 20 of the VPN client releases from six providers were scanned and over one-third of them included patch-required or exploited vulnerabilities. Amazingly, four included open developer secrets.

In contrast, scans of the top 30 open-source packages revealed six critical and 33 high-severity vulnerabilities per package on average. Of 164 vulnerabilities identified, 43 were deemed critical and seven were actively exploited. Open-source attacks become more and more challenging to discover, such as using tactics like hiding malicious code inside serialized Pickle files, such as the "nullifAI" attack on AI development platforms.

Despite rising awareness of open-source threats, the report highlights that commercial software generally keeps itself from facing the same examination—opening DevOps pipelines to threats hidden deep in trusted third-party tools.

Organizations are finally getting tougher by conducting thorough security reviews and even placing vendors on "Do Not Renew" lists until issues are resolved. While DevSecOps practice has improved, the report calls for greater vigilance in code provenance and supply chain transparency.

As cybercriminals accelerate the use of advanced techniques, it is clear that protecting DevOps environments requires constantly changing adaptations—not just in tools, but in mindset as well.