Supply Chain Security
Practices for ensuring the integrity and security of all dependencies, tools, and processes comprising the software development pipeline.
What it is
Software supply chain security protects against attacks compromising dependencies, build tools, or distribution processes. Attacks like SolarWinds and Log4Shell demonstrated its importance.
Attack vectors
| Vector | Real-world example | Mitigation |
|---|---|---|
| Malicious dependencies | Typosquatting on npm/PyPI | Lockfiles, dependency review |
| Build system compromise | SolarWinds (2020) | Hermetic builds, SLSA Level 3+ |
| CI/CD pipeline injection | Codecov breach (2021) | Least privilege, rotated secrets |
| Compromised images | Base images with vulnerabilities | Scanning with Trivy, signed images |
Mitigation practices
- SBOM: Software Bill of Materials (dependency inventory)
- Dependency scanning: Snyk, Dependabot, Trivy
- Artifact signing: cosign, Sigstore
- SLSA: Supply-chain Levels for Software Artifacts (maturity framework)
- Lockfiles: exact dependency versions
SLSA Levels
| Level | Requirements |
|---|---|
| 1 | Build process documentation |
| 2 | Hosted build service, retained logs |
| 3 | Isolated build, verifiable provenance |
| 4 | Hermetic build, two-party review |
Why it matters
Software supply chain attacks exploit trust in third-party dependencies. A single compromised package can affect thousands of applications. Verifying signatures, auditing dependencies, and using SBOMs are essential defensive practices.
References
Related content
- DevSecOps
Integration of security practices throughout the software development lifecycle, automating security controls in the CI/CD pipeline.
- Container Security
Practices and tools for securing containers throughout their lifecycle: image building, runtime, orchestration, and compliance.
- Vulnerability Scanning
Automated process of identifying known vulnerabilities in code, dependencies, containers, and infrastructure before they reach production.