Software Supply Chain Attacks: The NCSC and the NCSC Concur That They Are A Major Risk in our World

Did you know that there are two NCSC’s in the World, and both of them highlight the risks of the software supply chain? In the US, the NCSC (National Counterintelligence and Security Center) has just published a short preface on attacks to the software supply chain, and it's a great introduction to the threat [here].

Overall, an adversary can inject some malicious code into the production lifecycle of sofware, and that can go undetected by those who build and maintain the software. An example attack is to insert a backdoor into one of the libraries which are integrated into the software build. While a developer may check their own code, they often care little about the libraries and external code that they adding. While compilers could be a major risk, it is unlikely that any compiler would be allowed to be related which had significant backdoors. More likely, is the integration of external code in libraries and which has been produced by external entities.

Some languages are great for version control, others not so good

While some software languages, such as Rust, have excellent tool chain integration, there are others, such as Node.js, which are generally weak with version control…