TL;DR: OWASP’s 2025 Top 10 release candidate places software supply chain failures at number 3, after the community ranked it first with exactly 50% of respondents, while Verizon’s 2025 DBIR found third parties were responsible for a third of breaches. The governance lesson is that segmentation can contain blast radius, but it does not remove upstream dependency risk or the need for lifecycle control.
NHIMG editorial — based on content published by ColorTokens: Securing the Software Supply Chain, Why Microsegmentation Belongs in OWASP's Next Chapter
By the numbers:
- Exactly 50% of respondents ranked software supply chain failures number 1 in the OWASP community survey.
Questions worth separating out
Q: What breaks when a vulnerable third-party component still has broad network and identity access?
A: The control boundary breaks down because the component can turn a local software flaw into wider system compromise.
Q: Why do cryptographic changes matter to IAM and NHI programmes?
A: IAM and NHI programmes rely on certificates, signing keys, and token trust to establish who or what is authenticated.
Q: How do security teams know if segmentation is actually reducing risk?
A: Teams know segmentation is working when unnecessary workload communications disappear, exception volume falls, and policy changes are validated continuously rather than assumed.
Practitioner guidance
- Define dependency-specific trust boundaries Document which upstream and downstream services each third-party component must reach, then block every other path by default.
- Tie runtime identities to software exceptions Inventory the service accounts, tokens, and credentials used by vulnerable or end-of-life software, then assign named owners and review dates.
- Use microsegmentation as containment, not closure Segment affected workloads to reduce lateral movement while remediation is planned, but track segmentation as a temporary control unless there is a documented long-term exception decision.
What's in the full article
ColorTokens' full article covers the operational detail this post intentionally leaves for the source:
- The article walks through four specific CWE patterns and how each maps to a different supply chain failure mode.
- It explains why microsegmentation is a practical interim control for unmaintained and unpatchable software components.
- It gives concrete examples, including Log4Shell and other real-world vulnerabilities, that show how dependency exposure becomes operational risk.
- It outlines how Zero Trust policy can limit known upstream and downstream connections during remediation.
👉 Read ColorTokens' analysis of microsegmentation and software supply chain failures →
Software supply chain failures: what microsegmentation changes for teams?
Explore further
Software supply chain failure is now an identity problem as much as a code problem. Once third-party software reaches production, the real risk is often the runtime trust granted to that software through service accounts, tokens, and network reachability. Microsegmentation can reduce exposure, but the more durable control is understanding which non-human identities are allowed to talk to which assets, and why. Practitioners should treat dependency trust as part of identity governance, not as a separate infrastructure concern.
A question worth separating out:
Q: Who should own the risk when a third-party component cannot be patched quickly?
A: The business owner and the security team should share accountability, because the risk is operational as well as technical. The owner decides whether the component stays, is isolated, or is replaced. Security defines the compensating controls, the exception period, and the review cadence until the dependency is retired or remediated.
👉 Read our full editorial: Microsegmentation and software supply chain failures in OWASP 2025