Adoption of cloud-native technologies such as SASE, SDWAN, and centralized firewall management have enabled operational agility and scalability. They have also, however, introduced new vectors and opportunities for exploitation. Enterprise risk management (ERM) programs are increasingly dominated by concerns around supply chain resilience, as highlighted in Forrester’s recent blog discussing supply chain, AI, and operational resilience.

The recent breaches at security vendors F5 and SonicWall illustrate how attackers are targeting the very infrastructure that enterprises rely on to secure and deliver digital services. According to Forrester data, software supply chain breaches were used in 30% of external attacks in 2025. It represents the broader fragility in software supply chain and assumptions made about trust, control, and visibility.

Source Code Theft And The Specter Of Zero-Day Exploits

The proverbial gut punch to supply chain security comes from F5 suffering a breach in its development environment. In this case, confirmed nation-state actors exfiltrated BIG-IP source code including details of undisclosed vulnerabilities last August. While no critical flaws have been confirmed yet, the theft of proprietary code is nothing to balk at since the product line sits in front of most enterprise applications inside the data center and in the cloud.

The F5 breach introduces a high probability of future zero-day exploitation. In fact, CISA’s emergency directives to federal agencies reflect the gravity of this supply chain compromise. Attackers are increasingly targeting the weakest links in software development and distribution pipelines, continuously testing your security. As highlighted in Forrester blog regarding the future of software supply chain security, organizations must realize that:

  • Software supply chain breaches will continue to be a top external attack vector
  • All 3rd party software, including open-source software, can introduce risk
  • Software supply chain security is a cross-discipline endeavor

The Trade-Offs of Centralized Cloud Management

The SonicWall breach is a reminder about the risk of centralized cloud management, particularly the involvement of sensitive infrastructure configurations. A key feature of its enterprise firewall platform is the MySonicWall cloud backup service, designed to streamline firewall management and disaster recovery. Its compromise resulted in the exposure of encrypted credentials, VPN settings and access rules which collectively give an attacker the operational blueprint necessary to enable precise and devastating intrusion attack campaigns.

To be fair, centralized cloud platforms do offer undeniable benefits, as echoed in Forrester’s report on the cybersecurity platform push, such as:

  • Simplified administration
  • Ease of integrations
  • Scalability
  • Tool consolidation

Lean IT and security teams find solace with such platforms, however the convenience often masks the dangerous assumption that centralized cloud-based management platforms are inherently secure and resilient. As our research has shown, that resilience must be built on the foundation of distributed risk. A centralized, single-cloud- repository introduces a high-value target for attackers with cascading effects.

The Common Thread: Supply Chain Fragility Creates Blind Spots

Both breaches reveal a shared vulnerability: the exposure of critical infrastructure through trusted third-party platforms. Whether it’s cloud-based configuration storage or proprietary development environments, attackers are exploiting the trust enterprises place in their vendors.

Traditional third-party risk management (TPRM) programs focus solely on assessing the security and risk of the entity (the vendor) but lack the directive to also assess security at the product level. This creates significant blind spots to flaws or vulnerabilities in the software supply chain.

These incidents reinforce the need for security leaders to treat vendors as extensions of their attack surface. As such, Forrester recommends that security and risk leaders:

  • Audit and harden: Immediately audit F5 and SonicWall deployments. Rotate credentials, patch systems, and harden public-facing interfaces.
  • Decentralize critical assets: Consider shifting sensitive configurations to local-only storage for high-value infrastructure.
  • Step up third-party risk management: Expand TPRM efforts to assess both entity AND product. Prioritize software supply chain security in vendor assessments. Don’t assume that security vendors get excused from detailed assessment and continuous monitoring. In fact, considering how critical they are to your organization’s security, they should be evaluated even more rigorously and continuously.
  • Make SBOMs mandatory. Require SBOMs (Software Bills of Materials), secure software development lifecycle (SDLC) practices, SLAs for patch updates, and incident response transparency from the vendor and continuously monitor SBOMs for newly disclosed vulnerabilities.
  • Encrypt backups with customer-controlled keys: Where possible, require client-side encryption or BYOK (Bring Your Own Key) for any vendor-managed backup service so that even if the vendor is breached, the attacker cannot decrypt sensitive configs.
  • Enable operational resilience: Integrate supply chain risk into ERM programs, aligning with Forrester’s guidance on resilience planning in 2025.
  • Carry out detection and threat hunting: To identify potential attacker activity from the F5 breach, hunt for anomalous management-plane logins, config changes, and code-signing anomalies. The vendor provided guidance for tracking login attempts. For SonicWall, track SSL VPN logs for credential-stuffing or mass logins and flag any config restores from cloud backups. Make sure you validate image integrity against vendor hashes.

Connect With Us

Forrester clients with questions related to this blog, supply chain risk, or enterprise risk management can connect with us through an inquiry or guidance session.

You can also meet our analysts in person at Forrester’s Security & Risk Summit, November 5–7, 2025.