Researcher says the missing piece is a governance-driven intelligence layer that turns SBOM and VEX data into explainable security decisions.

The post Are SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM Data appeared first on SecurityWeek.

Washington has rediscovered consequences. Just not consistently.

The March 6 executive order rests on a simple, correct idea: cyber-enabled fraud persists because it is profitable, scalable, and too often tolerated. So the government’s answer is to raise the cost. More coordination. More disruption. More prosecutions. More diplomatic pressure on the states that shelter these operations.

Good.

But weeks ago, an OMB Memo rescinded earlier federal software supply chain memos issued during the Biden administration. In practice, that pulled back from the prior attestation-centered model and made tools like the Secure Software Development Attestation Form and SBOM requests optional rather than durable expectations.

Put plainly, we are getting tougher on the people exploiting digital systems while getting softer on the conditions that make those systems so easy to exploit.

The executive order gets something important right. Cyber-enabled fraud is not a collection of random online annoyances. It is an industrialized form of predation: ransomware, phishing, impersonation, sextortion, and financial fraud that’s run as repeatable business models, often transnational and sometimes protected by permissive states. The order responds with a more centralized federal posture built around disruption, coordination, intelligence sharing, prosecution, resilience, and international pressure.

That is directionally correct. Criminal ecosystems do not retreat because we publish better guidance. They retreat when the cost of doing business rises.

But then we arrive at software.

The critique of the old federal assurance regime is not entirely wrong. Compliance can become theater. Bureaucracies are very good at turning legitimate security goals into rituals of form collection and checkbox management. Some skepticism was warranted. OMB says as much explicitly, arguing the prior model became burdensome and prioritized compliance over genuine security investment.

Still, the failure of bad compliance is not proof that accountability itself was the problem.

That is where the logic breaks. The administration is clearly willing to believe that criminal actors respond to deterrence. It is willing to use prosecutions, sanctions, visa restrictions, and coordinated pressure downstream. But upstream, where insecure technology shapes the terrain those criminals exploit, the theory suddenly changes. There, we are told to trust discretion. Local judgment. Flexible, risk-based decisions.

Sometimes that is wisdom. Often it is just a more elegant way of saying no one wants a hard requirement.

This is also why my own position has not changed. In a post I wrote in 2024, I argued that the industry did not need softer expectations or another round of polite encouragement. It needed more concrete action and consequences strong enough to change incentives. The problem was never that we were demanding too much accountability. The problem was that insecure software remained too cheap to ship.

That is the deeper issue. Cybercrime at scale does not thrive only because criminals exist. It thrives because the environment rewards them. Weak identity systems, brittle software, sprawling dependency chains, poor visibility, and diffuse accountability all make predation cheaper. The people who ship avoidable risk rarely absorb the full cost of it. Everyone else does.

So these two policy moves, taken together, reveal something uncomfortable. The government seems to believe in consequences for cybercriminals, but not quite in consequences for insecure production. It wants deterrence for the scammer, but discretion for the supplier.

A coherent cyber strategy would do both. It would aggressively disrupt criminal networks and also create meaningful pressure for secure-by-design production and procurement. It would recognize that punishing attackers matters, but so does changing the terrain that keeps making attack profitable.

The administration is right about one thing: cybercrime will not shrink until the costs of predation rise.

The unanswered question is why that logic should stop at the edge of the scam center.

Brian Fox is the co-founder and CTO of Sonatype.

The post If consequences matter, they should apply to vendors, too appeared first on CyberScoop.

The phrase “Move fast and break things” is a guiding philosophy in the technology industry. The phrase was coined by Meta CEO and founder Mark Zuckerberg more than two decades ago: an operational directive for Facebook developers to prioritize speed and innovation even at the cost of stability. “Unless you are breaking stuff,” Zuckerberg told Business Insider in a 2009 interview, “you are not moving fast enough.” 

But Zuckerberg’s call was heard well beyond Facebook’s offices. The tech industry has embraced the philosophy for close to two decades, with benefits that are visible all around us: from Tik-Tok influencers, to contactless mobile payments, self-driving taxis, and AI-powered glasses. 

Practically, however, the culture of “move fast and break things” produced firms that prioritize fast release cycles and feature development over software security and resilience. They move fast and make broken things: vulnerable and poorly designed applications, services and devices that are preyed on by cybercriminal groups and hostile nations. Consider the China-backed APT groups targeting both known and “zero-day” flaws in on-premises Microsoft Sharepoint instances in 2025 and Ivanti VPN devices in 2023. Those campaigns led to the compromise of hundreds of organizations globally, including U.S. federal agencies and critical infrastructure operators. 

Then there was the campaign by the China-backed threat actor UNC6395 who targeted customers of Salesforce using OAuth tokens stolen from the third party application Salesloft Drift to exfiltrate large volumes of data from hundreds of Salesforce instances. 

These incidents highlight two key features of today’s cyberthreat landscape. First, attackers exploit older applications with legacy code that contains high-severity security vulnerabilities. Second, they target large, complex cloud platforms like Salesforce by compromising vulnerable third-party integrations, software dependencies, and poorly managed APIs. 

This problem is compounded by a dangerous assumption: that software suppliers are trustworthy and secure. This mindset is outdated. In the past, supply chain attacks were rare, development cycles took months or years, and applying patches quickly was the gold standard. Today, in the “move fast” era, code can go from development to production in days, hours, or even seconds.”

Consider the recent Trust Wallet breach. In December, the cryptocurrency application vendor disclosed that hackers stole approximately $8.5 million in crypto assets through a compromised Google Chrome extension. The root cause was a November outbreak of the Shai Hulud registry-native worm, which leaked Trust Wallet developers’ GitHub credentials. With these credentials, attackers accessed Trust Wallet’s browser extension source code and the Chrome Web Store (CWS) API key, the company said in a blog post. This allowed them to upload malicious extension builds directly to the store, bypassing Trust Wallet’s standard security reviews. Within days, Trust Wallet users awoke to find their wallets emptied. 

By compromising “pre-blessed” channels like software updates from trusted suppliers or open source projects, criminal and nation-state attackers can extend their reach into sensitive IT environments.

The solution to problems like this starts with recognizing that the “move fast and break things” era must end. As software powers everything from database servers to dishwashers and tractors, vendors must prioritize security to meet market demands and regulatory requirements. This means proving their software is secure. Traditional application security testing tools—like software composition analysis (SCA), static application security testing (SAST), and dynamic application security testing (DAST)—are part of the solution.

However, today’s threat landscape requires software publishers to look beyond appsec’s “usual suspects.” They must test compiled binaries before release to detect tampering or malicious code that typically evades traditional application security tools. After all, that’s what we saw with incidents like the hacks of Solarwinds’ Orion or VoIP provider 3CX’s Desktop App. 

Software publishers also need to prioritize code quality, security and transparency. They can do that by establishing ambitious “zero vulnerability” goals that incentivize them to address problems like “code rot” (reliance on old and vulnerable software modules). They must also embrace transparency by publishing bills of materials for their products—including SBOMs (software bills of materials), MLBOMs (machine learning bills of materials), and SaaSBOMs. Knowing what is in the software your organization consumes can be critical to heading off attacks that exploit vulnerable software dependencies or other supply chain weaknesses. 

Should tech firms still move fast and innovate? Absolutely. But in 2026, innovation and rapid releases must be balanced with an even greater priority: building secure, resilient technology that protects both vendors and customers from attacks. Instead of “move fast and break things,” we need a new rallying cry: “Make Smart and Safe Things.”  

Saša Zdjelar is the Chief Trust Officer (CTrO) at ReversingLabs and Operating Partner at Crosspoint Capital with nearly 20 years of Fortune 10 global executive leadership experience. His CTrO scope includes leadership, oversight and governance of the CISO/CSO function, including product security, as well as partnering with other leaders on corporate and product strategy, strategic partnerships and research, and customer and technology advisory boards, including sponsoring the ReversingLabs CISO Council.

The post We moved fast and broke things. It’s time for a change. appeared first on CyberScoop.