The adoption of cloud-native technologies — such as SASE, SD-WAN, and centralized firewall management — has enabled operational agility and scalability, but it has also introduced new vectors and opportunities for exploitation. Enterprise risk management (ERM) programs are increasingly dominated by concerns around supply chain resilience, as highlighted in Forrester’s recent blog discussing supply chain, AI, and operational resilience.

The recent breaches at F5 and SonicWall illustrate how attackers are targeting the very infrastructure that enterprises rely on to secure and deliver digital services. According to Forrester data, software supply chain breaches were used in 30% of external attacks in 2025. This reflects the broader fragility in the software supply chain and the assumptions that enterprises make about trust, control, and visibility.

Source-Code Theft And The Specter Of Zero-Day Exploits

The proverbial gut punch to supply chain security comes from F5 suffering a breach in its development environment. In this case, confirmed nation-state actors exfiltrated BIG-IP source code, including details of undisclosed vulnerabilities last August. While no critical flaws have been confirmed yet, the theft of proprietary code is significant, as the product line sits in front of most enterprise applications in the data center and cloud.

The F5 breach introduces a high probability of future zero-day exploitation. In fact, CISA’s emergency directives to federal agencies reflect the gravity of this supply chain compromise. Attackers are increasingly targeting the weakest links in software development and distribution pipelines, continuously testing your security. As highlighted in Forrester’s blog regarding the future of software supply chain security, organizations must realize that:

  • Software supply chain breaches will continue to be a top external attack vector.
  • All third-party software, including open-source software, can introduce risk.
  • Software supply chain security is a cross-discipline endeavor.

The Trade-Offs Of Centralized Cloud Management

The SonicWall breach is a reminder about the risk of centralized cloud management — especially the involvement of sensitive infrastructure configurations. A key feature of its enterprise firewall platform is the MySonicWall cloud backup service, designed to streamline firewall management and disaster recovery. Its compromise resulted in the exposure of encrypted credentials, VPN settings, and access rules, which collectively provides an attacker with the operational blueprint necessary to enable precise and devastating intrusion attack campaigns.

Centralized cloud platforms do offer undeniable benefits, however, as echoed in Forrester’s report on the cybersecurity platform push, such as:

  • Simplified administration.
  • Ease of integrations.
  • Scalability.
  • Tool consolidation.

Lean IT and security teams find solace with such platforms, but the convenience often masks the dangerous assumption that centralized cloud-based management platforms are inherently secure and resilient. As our research has shown, that resilience must be built on a foundation of distributed risk. A centralized, single-cloud repository introduces a high-value target for attackers with cascading effects.

The Common Thread: Supply Chain Fragility Creates Blind Spots

Both breaches reveal a shared vulnerability: the exposure of critical infrastructure through trusted third-party platforms. Whether it’s cloud-based configuration storage or proprietary development environments, attackers are exploiting the trust that enterprises place in their vendors.

Traditional third-party risk management (TPRM) programs focus solely on assessing the security and risk of the entity (the vendor) but lack the directive to also assess security at the product level. This creates significant blind spots to flaws or vulnerabilities in the software supply chain.

These incidents reinforce the need for security leaders to treat vendors as extensions of their attack surface. As such, Forrester recommends that security and risk leaders:

  • Audit and harden. Immediately audit F5 and SonicWall deployments. Rotate credentials, patch systems, and harden public-facing interfaces.
  • Decentralize critical assets. Consider shifting sensitive configurations to local-only storage for high-value infrastructure.
  • Step up TPRM. Expand TPRM efforts to assess both entity and product. Prioritize software supply chain security in vendor assessments. Don’t assume that security vendors get excused from detailed assessment and continuous monitoring. In fact, considering how critical they are to your organization’s security, they should be evaluated even more rigorously and continuously.
  • Make SBOMs mandatory. Require SBOMs (software bills of materials), secure software development lifecycle practices, SLAs for patch updates, and incident response transparency from the vendor. Continuously monitor SBOMs for newly disclosed vulnerabilities.
  • Encrypt backups with customer-controlled keys. Where possible, require client-side encryption or “bring your own key” for any vendor-managed backup service so that even if the vendor is breached, the attacker can’t decrypt sensitive configurations.
  • Enable operational resilience. Integrate supply chain risk into ERM programs, aligning with Forrester’s guidance on resilience planning in 2025.
  • Carry out detection and threat hunting. To identify potential attacker activity from the F5 breach, hunt for anomalous management-plane logins, configuration changes, and code-signing anomalies. The vendor has provided guidance for tracking login attempts. For SonicWall, track SSL VPN logs for credential-stuffing or mass logins and flag any configuration restores from cloud backups. Make sure you validate image integrity against vendor hashes.

Connect With Us

Forrester clients with questions related to this blog, supply chain risk, or ERM can connect with us through an inquiry or guidance session.

You can also meet our analysts in person at Forrester’s Security & Risk Summit in Austin, Texas, and online on November 5–7, 2025.