Software Supply Chain Attacks in 2025: What We Learned from Gartner®

Joe Ariganello

By Joe Ariganello

Download the Gartner 2025 Market Guide for Software Supply Chain Security (SSCS) to learn how to protect your organization. 

Software supply chain attacks are a top threat to enterprises worldwide. These sophisticated attacks target everything from open-source components and third-party APIs to critical DevOps toolchains. If you’re building software, your supply chain is a prime target. 

We see the 2025 Gartner Market Guide for Software Supply Chain Security (SSCS) underscoring this escalating risk and offering insights organizations can use to protect themselves. 

Why Software Supply Chain Security Can’t Wait 

Much software relies heavily on a complex ecosystem of open-source software (OSS) and vendor components – often 70–90% of a modern application. This reliance creates targets for attackers who exploit visibility gaps, compromise artifact integrity, and bypass inadequate policy enforcement. The fallout? Impacts across your organization and its entire ecosystem. 

We learned from the Gartner 2025 Market Guide for Software Supply Chain Security (SSCS) that: 

  • Security is still shifting left: Software engineering teams are now directly responsible for SSCS, moving beyond traditional application security. 
  • Visibility is crucial: Fragmented interdependencies create dangerous blind spots, making it hard to track artifacts, tools, and identities across your SDLC. 
  • Integrity is under attack: Weak artifact validation allows attackers to poison delivery pipelines, compromising your software’s integrity. 
  • Automation is lacking: Without automated tools to enforce security policies and detect misconfigurations, your software delivery posture is at risk. 

The urgency is undeniable: 60% of large enterprises are already deploying SSCS tools in 2025, and Gartner predicts this will jump to 85% by 2028. New regulatory mandates, like the U.S. Cybersecurity Executive Order 14144 and the EU Cyber Resilience Act, further underscore the need for robust SSCS solutions to help ensure compliance and protect critical infrastructure. 

Key Capabilities of Modern Software Supply Chain Security Tools 

As we interpret it, Gartner describes SSCS tools as solutions that protect software development and delivery by reducing third-party risks, ensuring artifact provenance, and enhancing security posture. These tools are vital across all three phases of your SDLC: development, delivery, and post-deployment. 

In our reading, the Gartner report outlines essential features, including: 

  • Development Phase: Tools like Software Composition Analysis (SCA) to identify vulnerabilities in OSS, scan internal code for secrets, and generate Software Bills of Materials (SBOMs) for transparency. 
  • Delivery Pipeline: Solutions for signing and verifying artifacts to help ensure integrity, providing a complete inventory of tools, and automating policy enforcement to prevent noncompliant artifacts.
  • Post-Deployment: Capabilities for traceability to track affected components back to their source and monitoring new risks with audit trails for quicker recovery from attacks. 

Veracode in the SSCS Landscape 

Veracode is listed as a Representative Vendor in the Gartner report. We are passionate about playing a pivotal role in securing the software supply chain. Veracode SCA and Package Firewall align with the market’s needs, offering comprehensive protection across your SDLC

Veracode SCA: Enhance Visibility and Compliance 

We believe Veracode SCA excels in the development phase by: 

  • Reducing Third-Party Risks: Quickly identifying vulnerabilities, licenses, and operational risks in the OSS and third-party dependencies that make up a large share of your software. 
  • Simplifying SBOM Management: Generating and processing SBOMs, giving you transparency into software components and helping you support compliance with regulations like the EU Cyber Resilience Act
  • Prioritizing Real Risks: Using reachability analysis to see if your applications actually depend on vulnerable code, helping you prioritize what matters most. 
  • Scanning Everything: Performing Binary SCA to scan proprietary and OSS components even without source code access, producing SBOMs for enhanced risk management. 

Veracode Package Firewall: Lock Down Your CI/CD Pipelines 

Veracode Package Firewall complements SCA by strengthening security in your delivery pipeline and post-deployment. It: 

  • Protects Software Integrity: Enforces policies to block noncompliant or unapproved packages, stopping risky artifacts from entering your CI/CD pipelines
  • Automates Policy Enforcement: Detects and helps prevent unauthorized access to SDLC tools, aligning with our view of automated security controls recommended in the market. 
  • Supports Post-Deployment Monitoring: Helps ensure traceability and monitors new risks by restricting unvetted packages, providing audit trails that support attack recovery. 

By directly addressing CI/CD security risks, Package Firewall closes a critical market gap, helping ensure artifact integrity and provenance without slowing down your developers. 

Build Trust in Your Software Supply Chain Today 

As software supply chain attacks become more sophisticated and regulatory pressures mount, prioritizing SSCS tools is no longer optional; it’s essential for protecting your SDLC.  

Download the 2025 Gartner Market Guide for Software Supply Chain Security report today to understand the threats and learn how Veracode can help you strengthen your software supply chain. 

2025 Gartner Market Guide for Software Supply Chain Security Thumbnail

Gartner, Market Guide for Software Supply Chain Security, By Manjunath Bhat, Aaron Lord, Jason Gross, 7 April 2025 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

If the report is a branded report, please use this disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

Aug 21, 2025

One Plugin, Four IDEs: Building a Consistent Security Experience Across Developer Tools

Read More
Veracode Threat Research

Veracode Threat Research

Aug 19, 2025

The AI-Native Era is Here: What this Gartner® Innovation Insight Means for Your Software Security

Learn More
Joe Ariganello

Joe Ariganello

Aug 14, 2025

Securing the Digital Frontier: Key Themes from Black Hat USA 2025

Learn More
Natalie Tischler

Natalie Tischler

Photo of Joe Ariganello

By Joe Ariganello

Joe Ariganello, Senior Director, Product Marketing at Veracode is a forward-thinking Product Marketing & GTM Strategy Executive. With over 20 years of experience transforming complex technologies into compelling market narratives, Joe has driven measurable business growth through strategic positioning and innovative go-to-market strategies for companies, including MixMode, FireEye, Anomali, Blue Voyant and more.