BlogPartners

Webinar

Fragile by Design: Large-Scale Evidence of Supply Chain Risk

In this VulnCon session, recorded live in Scottsdale, NetRise's Gary Schwartz shares findings from binary analysis of firmware and container artifacts from the past three years, spanning nearly 19,000 firmware assets across 380-plus organizations. His conclusion is blunt: supply chain risk is an inventory problem before it is a prioritization problem. Most of what actually runs in delivered software never appears in a manifest, so most of the risk stays hidden. Gary shows where to focus.

Speakers

Gary Schwartz

SVP Marketing, NetRise

Key Takeaways

  • Inventory comes before prioritization

    Across the firmware analyzed, roughly two-thirds of components never appeared in a manifest and close to 99% of vulnerabilities sat outside the declared inventory, so you cannot prioritize risk you were never able to see.

  • The risk is concentrated, and most of it is triage-able

    The top ten components account for 93% of vulnerability exposure, and a device showing thousands of CVEs can often be narrowed to the few that are network-accessible, weaponized, and KEV-listed.

  • Supply chain risk is more than CVEs

    Recent compromises in projects like Trivy, LiteLLM, and Axios were not CVE events, which is why blast radius, contributor trust, and non-CVE exposure such as exposed secrets and misconfigurations now matter as much as patching.

Stay up to date with the news

Sign up to get our free insights delivered to your inbox.