< Back to Blog

JPMorgan Chase Sounds the Alarm: Enterprise Software Supply Chains Are Under Attack –Here’s a Smarter Way Forward

Last Updated On: May 8, 2025 | By: Andreas Prins

Share
Share

Software supply chain security has shifted from a backend problem to a boardroom priority. Security breaches. Compliance mandates. Shadow dependencies. Today’s enterprise software supply chains are under more scrutiny than ever.

In a watershed moment, JPMorgan Chase issued a recent open letter to suppliers: the way software vendors approach security needs to change. Not later. Now.

This letter from JPMorgan Chase isn’t just one company raising concerns. As one of the largest and most regulated financial institutions in the world, their position carries weight across the entire enterprise IT landscape. The CISO’s open letter is a clear warning shot that supplier security standards are tightening fast.

Given JPMorgan Chase’s scale, systemic importance, and position within a highly regulated industry, the letter serves as a significant bellwether.

Other financial institutions and regulated sectors are likely to follow suit, pushing software vendors to rethink how they prove trust, resilience, and integrity. The assumption that a vendor can be trusted based on reputation, paperwork, or annual audits no longer holds. The new baseline is continuous, verifiable proof of software integrity.

So how can enterprise IT leaders modernize securely without slowing down development? SUSE Application Collection offers a smarter path forward.

Annual compliance checks aren’t enough anymore

Modern software is built on layers of dependencies. Internal code, open source libraries, third-party APIs, build pipelines, and now AI models. That complexity comes with serious risks. Think Log4j, SolarWinds, or any of the supply chain compromises of the last few years. They all showed one thing: your weakest link might be invisible to you.

JPMorgan’s letter laid it out clearly. Enterprises are demanding:

  • Transparency to fourth-party risks
  • Secure-by-default configurations
  • Trustworthy integration models
  • Evidence that controls actually work

And they don’t mean point-in-time audit reports. They want living proof.

This is the new standard. Annual compliance checks aren’t enough anymore.

Where the old model breaks

The typical approach to open source software grabbing components from public registries and managing updates internally is starting to show cracks. Many enterprises can’t keep up with the pace of vulnerabilities, license changes, or integration risks. According to recent audits, 90 percent of apps include components that are over 10 versions out of date.

The scope of this risk is well documented. According to the 2025 Black Duck Open Source Security and Risk Analysis Report,

  • 86% of applications include open source components with known vulnerabilities
  • 81% of those vulnerabilities are classified as high or critical severity
  • 91% of applications use outdated OSS packages
  • 56% face license compliance issues, often from complex transitive dependencies

These numbers show how widespread the risk is when teams rely on OSS from unmanaged sources without active patching or transparent provenance. And in cloud-native environments, where container sprawl and SaaS integrations are the norm, that risk multiplies fast. One misconfigured permission or outdated image can open the door.

Start from a secure foundation, how SUSE changes the game

The SUSE Application Collection offers a different approach. Instead of pulling software piecemeal from public registries and hoping it’s secure, our curated platform provides trusted, compliant, and up-to-date components ready to run in Kubernetes or containerized environments.

Here’s what stands out:

  • All software is built on secure SUSE Linux Enterprise Base Container Images
  • Every component includes full-transitive Software Bill of Materials (SBOM) in both SPDX and CycloneDX formats
  • SLSA Level 3 builds ensures tamper-resistant build processes
  • Continuous CVE scanning and patching are built into the release cycle
  • Curated OCI artifacts charts for 77+ applications that are secure by default

By curating, verifying, and maintaining these components, SUSE effectively shifts a large part of the DevSecOps burden from internal teams to the platform itself. SUSE positions itself as a trusted intermediary, absorbing complexity and providing assurance for the components within the collection.

This makes a big difference for organizations trying to meet compliance without draining platform or security team capacity.

This is not just about having secure code. It’s about being able to prove it.

“Transparency to risks… including their own dependencies on fourth-party vendors” is not optional anymore.

SUSE goes further by publishing attestations and offering FIPS-compliant variants in its premium tier (coming soon). That makes it easier for regulated organizations in finance, healthcare, or government to meet internal and external compliance standards without rebuilding trust from scratch.

What enterprises expect and how SUSE delivers

1. Enterprises Prioritize Security Over Features

SUSE Apllication Collection reduces the operational burden of securing open source software across its entire lifecycle—from image to runtime. For example, Instead of hardening PostgreSQL from scratch, platform teams can deploy a SUSE-certified version with built-in runtime protections and compliance, reducing risk from day one.

SUSE delivers

  • Pre-hardened applications built on SUSE Linux Enterprise
  • Continuous CVE scanning, rapid patching, and runtime threat detection

2. Enterprises Require Continuous, Verifiable Evidence of Security

SUSE Apllication Collection speeds up audits and procurement by providing trusted, verifiable evidence—no manual collection required. When deploying apps like Redis, teams get built-in SBOMs, CVE data, and provenance to satisfy vendor reviews and internal security checks.

SUSE delivers

  • Complete SBOMs and SLSA Level 3 provenance with FIPS (coming soon)
  • Continuous CVE scanning and compliance-ready documentation.

3. Enterprises Expect Full Transparency Into Dependencies

SUSE Apllication Collection improves incident response and helps assess risk during software reviews. Teams can quickly verify whether a Log4j-style vulnerability affects their stack—without reverse-engineering containers.

SUSE delivers

  • Detailed metadata and transitive SBOMs
  • Visibility into every component

4. Enterprises Demand Secure-by-Default Configurations

SUSE Apllication Collection lowers human error and helps enforce security posture across dev and prod.  For example, NATS deploys via Helm with hardened settings—ready for production from the first install.

SUSE delivers

  • Minimal, hardened base images
  • Helm charts tuned for enterprise security

5. Enterprises Need Trustworthy, Scalable Integrations

SUSE Apllication Collection makes it easier to integrate trusted services including SaaS without adding risk. Developer portals can offer curated services for self-service without compromising compliance.

SUSE delivers

  • Verified Helm charts and containers
  • Built for Rancher-managed Kubernetes environments

6. Enterprises Want Control Over OSS Supply Chain Risks

SUSE Apllication Collection eliminates shadow dependencies and surprises from public registries. Teams can replace random Docker Hub pulls with SUSE-maintained containers backed by SLAs and patching. 

SUSE delivers

  • Vetted OSS packages with lifecycle support
  • Available via Rancher and AWS Marketplace

It’s all about compliance balanced with speed and control

Enterprise software doesn’t only need to be secure. It also needs to ship fast. The SUSE Application Collection helps by removing the overhead of security validation from platform and developer teams. Developers can self-serve vetted components that meet enterprise standards. Platform teams don’t need to manually track patch cycles, license compliance, or SLSA levels for each image.

This frees up time for what really matters building value and solving problems, not hunting down outdated packages.

Final thoughts

JPMorgan’s message was clear: the trust-based software supply chain model is outdated. Enterprises are raising the bar, and rightly so. The good news is that we don’t need to start from zero. With platforms like SUSE’s, the tools already exist to build secure, modern applications faster and with more confidence.

Another area where curated platforms can unlock value is application modernization. Many enterprises are working to refactor or rebuild legacy apps into modern, containerized architectures. These projects carry both opportunity and risk. Using pre-approved, secure building blocks helps teams modernize without introducing new vulnerabilities.

Development teams can leverage pre-vetted, secure, and compliant building blocks from platforms like the SUSE Application Collection. This allows them to focus their efforts on securing custom business logic and complex integrations. For any organization that wants to reduce risk, simplify compliance, and give developers a safer path forward, curated platforms are not just nice to have. They’re becoming essential.

Ready to Secure Your Supply Chain?

Explore the SUSE Application Collection or talk to our experts about securing your Kubernetes platforms with SUSE Rancher Prime.

 

Share
(Visited 1 times, 1 visits today)

Related Articles

Oct 15th, 2024

SUSE Edge 3.1: Scalable, secure platform that supports industry use cases

Aug 10th, 2023

Linux is more relevant than ever – A conversation with Vojtech Pavlik on the future of Enterprise Linux

Nov 19th, 2024

Announcing the Availability of SUSE Linux Micro 6.1: The Future of Immutable Linux for Containerized, IoT, and Edge Deployments

Jan 27th, 2025

Ensuring Compliance with Emerging Regulations: Modernize Your SAP Landscape with Confidence

Andreas Prins SUSE
135 views
Andreas Prins
OSZAR »