Software Supply Chain Security: The Basics and Four Critical Best Practices

What is software supply chain security?

Modern enterprise software is typically composed of some custom code and an increasing amount of third-party components, both closed and open source. These third-party components themselves very often get some of their functionality from other third-party components. The totality of all of the vendors and repositories from which these components (and their dependencies) come make up a large part of the software supply chain. But it’s not just code, the supply chain for a software product also includes all of the people, services, and infrastructure that make it run. Adding it all up: the software supply chain is an often large and complex web of various sources of code, hardware, and humans that come together to make, support, and deliver a larger software product.

Using third-party and open source software saves your organization time and money and frees up your developers to create novel software instead of reinventing the wheel, but it comes with a cost. These components are created and maintained by individuals who are not employed by your organization, and these individuals may not have the same security policies, practices, and quality standards as you. This poses an inherent security risk, because differences and inconsistencies between policies can create overlooked areas of vulnerability that attackers may seek to exploit.

Attackers can compromise the security of the software supply chain in a number of ways including:

  • Exploiting bugs or vulnerabilities in third-party components
  • Compromising the development environment of a third party and injecting malware
  • Creating fake components that are malicious

Software supply chain security seeks to detect, prevent, and mitigate these threats and any others that stem from an organization’s third-party components. In this blog post, one of a series of guides about continuous integration and delivery (CI/CD), we look at software supply chain attacks, and how best to thwart them.

What is a software supply chain attack?

According to the U.S. National Institute of Standards and Technology (NIST), a software supply chain attack occurs when a threat actor “infiltrates a software vendor’s…