Understanding software supply chain resilience in 2025

The average business uses 106 different SaaS applications. Each of those applications depends on roughly 150 other components — 90% of which are indirect dependencies the organization doesn't even know about.

That means your organization likely depends on over 20,000 software components. You control almost none of them. If just one fails (through vendor bankruptcy, ransomware, or targeted attack), your operations stop. This dependency creates a vulnerability that most organizations don't know how to protect against.

Below, we explain why software supply chain attacks are accelerating, why traditional disaster recovery doesn't cover this risk, and what software supply chain resilience actually requires.

» Assess your software supply chain vulnerabilities

Supply chain attacks doubled in 2024

Software supply chains have become the easiest way in for attackers. Why break through a company's defenses when you can compromise a single vendor and reach thousands of victims at once?

The SolarWinds attack showed this perfectly. Attackers didn't target 18,000 organizations individually. They compromised one software update process and let their victims install the malware themselves. Fortune 500 companies and government agencies ran compromised software for months without knowing.

The pattern keeps repeating:

• The MOVEit file transfer tool attack affected over 620 organizations, including the BBC and British Airways. A single vulnerability cascaded through supply chains globally.
• When Kaseya was compromised, a major Swedish food retailer had to close 800 stores because their point-of-sale systems stopped working.
• The CrowdStrike outage in July 2024 showed how fast operations can collapse. A single faulty update grounded flights, shut down hospitals, and disrupted businesses around the world within hours.
• The XZ Utils incident in 2024 was the closest call. Attackers spent two and a half years slowly gaining trust in an open-source project that underpins Linux systems worldwide. They were days away from backdooring millions of servers when a Microsoft engineer accidentally discovered the plot.

By the end of 2025, nearly half of all organizations will have experienced a software supply chain attack. The projected cost: $60 billion in damages globally this year alone.

» Learn why Cybersecurity Awareness Month focuses on resilience strategies

Backups and disaster recovery don't cover software disruptions

Most organizations think backups and disaster recovery plans cover them. They don't, at least not when software becomes unavailable.

Traditional DR assumes you'll always have access to your software and just need to restore your data. But what happens when the software itself disappears? When your SaaS provider gets ransomed and can't operate. When your critical application provider goes bankrupt overnight. When a supply chain attack forces you to stop using compromised software immediately.

Backups secure your data. Disaster recovery helps you restore systems. Neither gives you access to source code, deployment configurations, or the ability to run software independently when the provider can't deliver service. You end up with perfect backups of data you can't use because you don't have the software to process it.

This gap between what organizations think they're defending against and what really threatens them is why supply chain attacks keep working.

Software escrow protects what backups can't

Software escrow used to be a passive legal arrangement that stored source code in case a vendor went bankrupt, with the expectation you'd never actually need it. The process was manual, updates were infrequent, and using escrowed code required teams of developers and months of work.

That model doesn't work for today's software disruptions. Vendor failures happen constantly through acquisitions, ransomware, and supply chain attacks. Response times are measured in hours, not months.

Software escrow had to change because:

• Regulations are making software resilience mandatory. The Digital Operational Resilience Act (DORA), now in force across the EU, requires financial institutions to prove they can maintain operations when software providers can't deliver service. NIS2 and the Cyber Resilience Act (CRA) extend these requirements across critical infrastructure sectors. Comparable regulations are emerging in the US, UK, and Asia. The fines for non-compliance can reach millions.
• The nature of software has changed. We're not installing software from CDs anymore. Modern applications are compositions of cloud services, APIs, microservices, and dependencies that update continuously. Safeguarding just source code isn't enough — you need complete operational environments.
• Business moves faster. When critical software becomes unavailable, organizations need recovery in hours, not months. The old model of manually rebuilding from source code over weeks can shut down operations.

Modern software escrow has evolved into an active recovery and continuity system. It captures complete operational environments: configurations, credentials, service relationships, and deployment pipelines. It syncs automatically with development repositories and includes verification testing that proves the materials really work. When a trigger event occurs, you get pre-verified packages that can be deployed within hours.

» Explore modern software escrow solutions

What you need to do about software supply chain risk

Real software resilience means accepting that your software supply chain is your attack surface. Every dependency is a potential point of failure. You can't eliminate these dependencies — modern business requires them — but you can maintain operations when they fail.

This requires a different approach than traditional risk management. Prevention alone won't work when 75% of software supply chains are being attacked. The question isn't whether you'll be impacted, but when and how badly.

Resilience means maintaining operations during and after an attack, not just trying to prevent one.

Start by mapping your critical software dependencies. Identify which applications would shut down your business if they became unavailable tomorrow. For those applications, make sure you have continuity protection that goes beyond backups and gives you access to everything needed to maintain or migrate the software independently.

For vendors providing critical software, this means implementing escrow as part of your customer relationships. It's becoming a requirement in enterprise contracts, and demonstrating you have continuity protection in place builds trust with customers who understand supply chain risk.

» Get a free software supply chain risk assessment

Close the gaps in your software resilience

Software dependencies have become the primary path for attacks, and traditional backup strategies don't guard against vendor disruptions. The organizations that understand this are moving beyond disaster recovery to implement active resilience systems: verified, tested safeguards that maintain operations regardless of what happens to their software providers.

The question every organization needs to answer: Can you keep operating when your critical software providers can't? If the answer isn't clearly yes, you have a gap in your resilience strategy that needs to close before the next supply chain attack finds it.

» Start building software supply chain resilience today. Talk to our escrow experts about your software dependencies