TL;DR: OWASP’s 2025 Top 10 release candidate places software supply chain failures at number 3, after the community ranked it first with exactly 50% of respondents, while Verizon’s 2025 DBIR found third parties were responsible for a third of breaches. The governance lesson is that segmentation can contain blast radius, but it does not remove upstream dependency risk or the need for lifecycle control.
At a glance
What this is: The article argues that software supply chain failures now sit high on the OWASP 2025 agenda and that microsegmentation can reduce blast radius when third-party software or unpatchable components create exposure.
Why it matters: For IAM, PAM, and NHI teams, this matters because dependency risk often becomes access risk once service accounts, tokens, and runtime paths allow vulnerable software to reach sensitive systems.
By the numbers:
- Third parties were responsible for a third of breaches in Verizon's 2025 Data Breach Investigations Report.
- Exactly 50% of respondents ranked software supply chain failures number 1 in the OWASP community survey.
👉 Read ColorTokens' analysis of microsegmentation and software supply chain failures
Context
Software supply chain failure is a governance problem before it is a tooling problem. Once third-party code, unmaintained dependencies, or unpatchable components are embedded in production paths, organisations are forced to manage exposure rather than eliminate it. That creates a real identity and access angle because application paths, service accounts, and machine credentials determine how far a compromised dependency can move.
The article frames microsegmentation as a compensating control that narrows the path from dependency exposure to business impact. That is directionally sound, but it should be read as containment, not assurance. For NHI programmes, the deeper question is which runtime identities, tokens, and upstream-downstream trust relationships still let vulnerable software reach crown-jewel systems.
Key questions
Q: What breaks when a vulnerable third-party component still has broad network and identity access?
A: The control boundary breaks down because the component can turn a local software flaw into wider system compromise. Broad access lets attackers move from the vulnerable workload into adjacent services, data stores, or administrative paths. Containment works only when identity permissions and network reach are both narrow enough to stop lateral movement before it starts.
Q: Why do cryptographic changes matter to IAM and NHI programmes?
A: IAM and NHI programmes rely on certificates, signing keys, and token trust to establish who or what is authenticated. If those cryptographic controls cannot change cleanly, trust flows become brittle, incident recovery slows, and the organisation loses the ability to respond to new standards or vulnerabilities without disruption.
Q: How do security teams know if segmentation is actually reducing risk?
A: Teams know segmentation is working when unnecessary workload communications disappear, exception volume falls, and policy changes are validated continuously rather than assumed. A good signal is that one compromised workload cannot reach adjacent systems without hitting an explicit control. If internal traffic remains widely open, the organisation still has a propagation problem, not a containment strategy.
Q: Who should own the risk when a third-party component cannot be patched quickly?
A: The business owner and the security team should share accountability, because the risk is operational as well as technical. The owner decides whether the component stays, is isolated, or is replaced. Security defines the compensating controls, the exception period, and the review cadence until the dependency is retired or remediated.
Technical breakdown
What software supply chain failures mean in practice
Software supply chain failures occur when the process of building, distributing, or updating software is compromised, or when the software itself depends on vulnerable, obsolete, or unmaintained components. In practice, the failure may appear as malicious code injection, a dependency flaw, or a component that cannot be safely upgraded. The security issue is not limited to code provenance. It includes the trust path from developer tooling to runtime systems, which is where identity and access control become relevant.
Practical implication: map every external dependency to the identities and network paths it can reach.
How microsegmentation limits blast radius for vulnerable software
Microsegmentation divides environments into tightly controlled zones so that a compromised component cannot freely reach adjacent systems. It works best when paired with least privilege, because network isolation alone does not stop all abuse if the workload still has broad credentials. In this article's context, segmentation is a containment layer for third-party software risk, especially when patching is delayed or impossible. It buys time by constraining lateral movement and limiting which upstream and downstream services can be contacted.
Practical implication: segment vulnerable workloads around the exact connections they require, then deny everything else.
Why unpatchable components change the control model
An unpatchable or end-of-life component creates a permanent exposure condition because remediation is no longer a simple update decision. The organisation must choose between retirement, replacement, or long-term compensating controls. That shifts security from prevention to exposure management, where segmentation, strict authentication boundaries, and monitored trust relationships become the remaining controls. This is where identity governance matters, because the runtime identities attached to those components often outlive the software they protect.
Practical implication: assign explicit ownership to every runtime identity tied to unpatchable software and review it as a high-risk exception.
Threat narrative
Attacker objective: The attacker aims to turn a single dependency weakness into broader access across connected systems and workloads.
- Entry occurs when a vulnerable or compromised third-party component is introduced into the software build, update, or runtime path.
- Escalation follows when the affected workload can still use standing network paths or credentials to reach adjacent systems.
- Impact occurs when the attacker uses that trust to move laterally, compromise connected services, or expose sensitive data.
NHI Mgmt Group analysis
Software supply chain failure is now an identity problem as much as a code problem. Once third-party software reaches production, the real risk is often the runtime trust granted to that software through service accounts, tokens, and network reachability. Microsegmentation can reduce exposure, but the more durable control is understanding which non-human identities are allowed to talk to which assets, and why. Practitioners should treat dependency trust as part of identity governance, not as a separate infrastructure concern.
Blast-radius control is becoming the default compensating strategy for unfixable software risk. The article is right to emphasise containment when patching is delayed, unavailable, or operationally risky. That does not make segmentation a substitute for remediation, but it does mean organisations need a repeatable model for isolating high-risk dependencies while they plan retirement. Practitioners should stop assuming every vulnerable component can be fixed on the normal patch cycle.
The governance gap is not only vulnerable code, but persistent permission to use vulnerable code. A dependency can be known, documented, and still dangerous if its associated runtime identities retain broad access to downstream services. That is the same structural problem NHIMG sees in other non-human identity failures: access persists longer than the business accepts, and lateral movement follows. Practitioners should align software supply chain controls with NHI lifecycle control.
Software supply chain risk will increasingly be judged by what it can reach, not just what it contains. OWASP’s move to elevate this category reflects a broader shift toward exposure-based governance. The practical consequence is that security teams will need to combine dependency inventory, network segmentation, and identity scoping into one control narrative. Practitioners should expect auditors and risk leaders to ask how far a compromised component can move, not just whether it is vulnerable.
Dependency trust gap: A vulnerable component remains a governance failure when it can still authenticate, connect, or move laterally inside production. This concept captures the core problem in the article: trust is often extended to software long after its risk is understood. Practitioners should use it to structure reviews of runtime access, segmentation, and exception handling.
What this signals
Dependency trust gap: security teams need to treat third-party software as an access-bearing entity, not just a patching concern. That means connecting build-time inventory, runtime segmentation, and identity governance so a vulnerable component cannot retain more reach than its business function requires. The OWASP link is useful here because the article points to the same exposure pattern that OWASP now treats as a top-tier supply chain issue.
For NHI programmes, the next step is to inventory the service accounts and tokens that keep exposed dependencies alive. The practical question is not only whether the component is vulnerable, but whether its identity can still authenticate into systems that matter. A constrained trust model is the only durable answer when patching cannot happen immediately.
The article's emphasis on microsegmentation reflects a broader shift toward containment-based resilience. In practice, that means teams should combine segmented network paths with identity scoping and exception governance, then validate the result against the NIST Cybersecurity Framework 2.0 and OWASP Non-Human Identity Top 10.
For practitioners
- Define dependency-specific trust boundaries Document which upstream and downstream services each third-party component must reach, then block every other path by default. Use these boundaries to drive segmentation rules and exception approvals, especially for components that cannot be patched quickly.
- Tie runtime identities to software exceptions Inventory the service accounts, tokens, and credentials used by vulnerable or end-of-life software, then assign named owners and review dates. If the software remains in place, the associated identity should be treated as a high-risk exception, not a routine entitlement.
- Use microsegmentation as containment, not closure Segment affected workloads to reduce lateral movement while remediation is planned, but track segmentation as a temporary control unless there is a documented long-term exception decision. Pair the network rule set with logging so you can verify that blocked paths stay blocked.
- Prioritise retirement for unpatchable components Create a formal exit path for components that vendors cannot safely update, including replacement milestones, compensating controls, and business owner sign-off. If the component is still necessary, restrict its access to known upstream and downstream connections only.
Key takeaways
- OWASP’s elevation of software supply chain failures reflects a real governance shift: organisations now have to manage how far compromised dependencies can reach, not just whether they are vulnerable.
- Microsegmentation helps contain third-party software risk, but the control only works when service accounts, tokens, and network paths are scoped tightly enough to block lateral movement.
- For identity teams, the critical question is whether vulnerable software still has standing permission to access downstream systems after the risk is known.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0010 , Exfiltration | The article focuses on how compromised dependencies spread across connected systems. |
| NIST CSF 2.0 | PR.AC-4 | Access control is central because vulnerable components should not retain broad reach. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege directly supports the article's containment logic for vulnerable workloads. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Non-human identity lifecycle control is relevant where software dependencies use service accounts and tokens. |
| NIST Zero Trust (SP 800-207) | Zero Trust is the article's main architectural mitigation for limiting blast radius. |
Map vulnerable software paths to lateral movement and exfiltration tactics, then segment the reachable surface.
Key terms
- Software Supply Chain Failure: A software supply chain failure is any breakdown in the build, dependency, signing, or distribution chain that allows tampering, compromise, or unauthorized access. For NHI security, the concern is not only corrupted code but also the credentials and machine identities that move that code through the pipeline.
- Microsegmentation: A control approach that divides an environment into tightly scoped network zones so workloads can only communicate with approved peers. It reduces blast radius after compromise, especially when paired with least privilege and identity-aware policy enforcement.
- Blast Radius: The amount of systems, data, or services an attacker can reach after exploiting one weak point. In supply chain risk, blast radius is often determined less by the flaw itself than by the permissions, connections, and trust relationships surrounding it.
- Runtime Identity: Runtime identity is the practice of making identity and authorization decisions at the moment an action occurs. For agents and workloads, it means access is validated against live context, not only against the identity state set during onboarding or provisioning. That makes accountability and scope enforcement possible inside fast-moving workflows.
What's in the full article
ColorTokens' full article covers the operational detail this post intentionally leaves for the source:
- The article walks through four specific CWE patterns and how each maps to a different supply chain failure mode.
- It explains why microsegmentation is a practical interim control for unmaintained and unpatchable software components.
- It gives concrete examples, including Log4Shell and other real-world vulnerabilities, that show how dependency exposure becomes operational risk.
- It outlines how Zero Trust policy can limit known upstream and downstream connections during remediation.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It gives practitioners a structured way to connect runtime access decisions to broader identity governance.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org