Software Supply Chain Security — An Introduction

As organizations have matured their capabilities to protect production systems from cyber threats, attackers have turned their attention to compromise software supply chains, involving software development and delivery processes.

As per the catalogue put together by Cloud Native Computing Foundation (CNCF) on supply chain compromises, even though the initial software supply chain attack dates back to 2003, these have become more prominent in recent years, with SolarWinds (Dec. 2020) and Log4Shell (Dec. 2021) grabbing media attention worldwide.

The emergence of sophisticated software supply chain attacks has resulted in concerted efforts from both the government and private sector organizations, with the U.S government issuing an Executive Order on Improving the Nation’s Cybersecurity on 12 May 2021, with a section specifically dedicated to improving software supply chain security.

Before we delve deeper into understanding the software supply chain threats, complexities, challenges, impact on organizations, and what we need to do to protect ourselves, let’s first understand what constitutes a software supply chain.

Supply Chain in General

Before discussing about software supply chain, we’ll discuss about what a supply chain is in general.

A Supply Chain refers to a process that encompasses everything from sourcing raw materials from suppliers to manufacturers through to its eventual…