Software Supply Chain Security 101


Software supply chains are growing increasingly complex. While software often used to be developed by small teams writing custom code, applications are now created using a combination of code from open-source libraries and in-house code by a team of developers. This expansion allows the software to become sophisticated and released faster—but also comes with more teams, more tools, more automation, and more complexity. 

But with progress also comes risks. As more people touch the supply chain and more dependencies are added, the potential for malicious attacks also grows. With open source code and third-party applications, the software supply chain gets opened up to outside factors that can impact the security of your supply chain.

Staying informed about everything that goes into your software is vital to ensuring you can manage the risk—and resolve any issues as they may arise.

What Is A Software Supply Chain?

Software supply chains include all of the raw materials, components, processes, people, and channels it takes to develop and deliver your software product. Like traditional manufacturing supply chains, software supply chains are made up of many components and stages. Each different piece is a link in the software supply chain, and each also represents a component of the expanding software supply chain attack surface. Let’s take a look at a few key components and relevant definitions related to securing software supply chains, and their definitions:

Key Terms

  • Software supply chain: This includes all of the components that it takes to develop and deploy software, including materials, in-house code, third-party libraries, team members, systems, infrastructure, and delivery channels.

  • Software supply chain security: Software supply chain security encompasses all risk management and cybersecurity measures it takes to protect your software supply chain against vulnerabilities. 

  • Secure software supply chain: A secure software supply chain is protected against the vast majority of vulnerabilities, offering confidence that all of the deployed code is secure and ready to release safely.

  • Source code vulnerability: If security isn’t embedded into your application development processes or your source code is compromised, it can lead to a weakness or vulnerability that puts the security of your software at risk.

  • Open source supply chain: Open-source software is software with source code that is publicly accessible, allowing it to be modified, shared, and used by project contributors. An open-source software supply chain leverages any open-source software. 

  • Software bill of material: A software bill of materials, or SBOM, is an exhaustive list of all the  components that are present in any software. It is designed to help keep software supply chains secure by clearly documenting contents and  potential risks related to software that may exist within an application.

  • NIST: The National Institute of Standards and Technology, or NIST, is an organization within the U.S. Department of Commerce. Their goal is to promote standards-based innovation in science, technology, and engineering and help organizations better manage cybersecurity risk.

  • OWASP: The Open Web Application Security Project®, or OWASP, is a non-profit organization that strives to improve software security by providing open-source resources like documentation, education, and training.

  • Open-source code: Open-source code is software that is widely available and can be viewed, deployed, and/or modified by anyone.

  • Third-party code: Third-party code is software that is developed and often licensed or sold to companies to use in their applications.

Here’s Why Securing Your Software Supply Chain Matters

As the digital world expands and consumers are moving to digital-first solutions across industries, it’s more important than ever that organizations develop secure applications. In order for that process to be effective, it’s critical that they prioritize the protection of their software supply chain. 

Cybercrime is up 600% since the Covid-19 pandemic and will cost an estimated $10.5 trillion annually by 2025. Major security breaches result in damage to brand names, business disruptions, financial costs, customer loss, and even can come with regulatory fines. And with software supply chain attacks becoming more prevalent and more devastating, software supply chain security is now one of the fastest-growing sectors in cybersecurity.

High-profile security attacks targeting the software supply chain, like the SolarWinds attack in 2020, are becoming more and more common as hackers attack or disguise malware in publicly available source code, among other potential exploits. SolarWinds, a major Oklahoma-based software company, suffered a breach of their IT monitoring system, SolarWinds Orion. Attackers broke into the system and added malicious code to the software. The change was undetected for months. 

As a result, the attackers were able to access information from SolarWind’s clients unchecked—including cybersecurity firms and government organizations like the Department of Homeland Security. In total, the hack compromised data from over 30,000 organizations. This unprecedented attack showcases the widespread ripple effect that can be caused by a cybersecurity threat that attacks the software supply chain; it not only impacts one business but any organization using the software.  

Codecov, a code coverage solution, was the target of a similar sophisticated hack. In early 2021, Codecov was compromised and confidential customer information was sent to malicious actors over a period of several months. As a software tool, Codecov was a common component in many organizations' software supply chains, which resulted in this becoming a  widespread vulnerability.

Organizations must work proactively to prevent cyber threats instead of waiting to address them after the fact. A security-first approach at every stage of your software development lifecycle process is critical to the long-term success of your risk management and mitigation efforts.

Protecting your software supply chain and implementing cyber risk management protocols can help organizations prevent catastrophic damage caused by successful breaches. By integrating security into DevOps, you can transition your software development lifecycle toward a security-centered approach. Start by understanding these key terms: 

Key Terms

  • Open source supply chain attack: An open source supply chain attack occurs when malicious actors add viruses, malware, or other malicious software to open source code.

  • Software supply chain attacks: When cyber attacks gain access to your applications via the software supply chain, it is considered a software supply chain attack. This can be done in different way, like altering commonly used open source code or by infiltrating your development pipeline.

  • Software threats: In this context, software threats include any type of attack vector that creates vulnerabilities in your software supply chain.

  • Software supply chain management: Managing your software supply chain includes overseeing all of the links in the chain, from open source code to software licensed from third-party vendors to code developed by in-house teams. It also includes managing the systems, infrastructure and processes used across your SDLC. Looking at software supply chain management through a security lens can help protect your organization from malicious attacks.

  • Security-driven development: This process involves prioritizing secure applications from the very start. Software engineers take extra steps to securely develop their source code and securely configure their SDLC systems and tools, helping to protect the software from potential exploits and malicious threats. 

  • SDLC: The Software Development Life Cycle, or SDLC, is the development lifecycle of all software. It has several phases: planning, analysis, design, development, testing, deployment, maintenance, and integration.

  • SSDLC: The Secure Software Development Life Cycle, or SSDLC, is the development lifecycle of software, with added rigor around maintaining security at each stage of the process. In addition to direct alignment to the SDLC life cycle steps, SSDLC has extra phases that focus on risk assessment, threat modeling, and security testing and assessments.

  • Application security lifecycle: The application security lifecycle focuses on the steps and best practices to find and resolve security vulnerabilities within your applications. It is typically considered to have several phases, including analysis, implementation, and maintenance.  

  • Open source software supply chain security: Open source software supply chain security includes monitoring and managing any risks associated with using open source code.

Types of Threats Your Software Supply Chain Faces

As software supply chains become more complex, the opportunity for threats continue to grow. There are five primary threats that every software supply chain faces, regardless of company type or industry. Taking proactive steps to protect against these main threats helps to ensure the security of your supply chain, protecting your business and your customers. 

Learn more about each threat and what steps you can take to mitigate risks to your software supply chain.

Code and Intellectual Property Theft 
All code written by your software developers is considered intellectual property. Regardless of whether or not the code has been registered as a patent or is copyrighted property, it is illegal to steal or use it without authorization. If this code is stolen or accessed through unauthorized channels, it is considered copyright infringement. 

Source Code Tampering and Malicious Code Injection
Like in the SolarWinds attack, hackers will often inject malicious code into software to gain access to the application. The malicious code then changes the way the software runs, introducing and/or exploiting vulnerabilities.

Insecure User Access into the SDLC 
When an unauthorized user gains access at any stage of your SDLC, it can put your entire supply chain at risk. Instead of security being an afterthought, using a “least privilege” approach can help you integrate security throughout the development process to help identify and prevent these vulnerabilities before release.

Third-Party Software, Components and Plug-ins Risk
When integrating with third-party software, components and plug-ins in your supply chain, you expose your ecosystem to added vulnerabilities. If the third party software is a successful target of a cybersecurity attack, vulnerabilities in their systems may also be reflected in your own.

Pipeline, Process, and System Misconfiguration Risks
A CI/CD pipeline helps you innovate faster—but it also exposes you to an expanded attack surface and greater security risks. Because CI/CD often requires integrating with more systems and infrastructure, like GitHub, it can increase vulnerabilities–particularly to your software supply chain– increasing your risk exposure. Similarly, if your infrastructure is configured incorrectly, attackers can take advantage to breach your pipeline. Tighter access controls, and regular assessment, configuration checks, and maintenance, can help mitigate these risks. 

Threats to the cybersecurity landscape are constantly changing. As high-profile attacks like SolarWinds, LastPass, and Codecov continue to find success, while others are attempted on organizations like Github, cyber-criminals are increasingly exploiting this sprawling and rapidly changing attack surface. Organizations must stay vigilant to keep up with attackers and maintain the security of their software supply chain. Otherwise they risk putting their software supply chain and broader digital business initiatives at risk. Here’s a brief glossary with several relevant terms:

Key Terms

  • Cyber threats: A cyber threat is anything that poses a risk to your cyber assets, like unauthorized access or modification to your systems or software. 

  • Software supply chain attack: Supply chain attacks are attempts by malicious actors, such as hackers and cybercriminals, to infiltrate your pre-production development environment and compromise your application,  sensitive data, or disrupt your business. 

  • Software supply chain risk: Software supply chain risks are potential vulnerabilities that may provide opportunities for malicious actors to compromise your software and systems.

  • Source code leak: A source code leak is when a malicious actor gains access to your source code. If your confidential source code is leaked, it means it is available to hackers, other malicious actors, or even the general public. This, in turn, allows further exploits and cyber threats.
  • GitHub security risks: GitHub is used to store and manage source code, and has become the world’s largest software repository. Hackers commonly target GitHub, making it a vulnerability for many software supply chains.

  • DevOps security tools: DevOps security tools help you accelerate and scale security practices through automated vulnerability scanning, analysis, and testing.

  • Agile software development security concerns: Because agile software development includes rapid sprints, security can be bypassed or neglected throughout the development process due to the pressure to release code quickly. This can lead to vulnerabilities in the software supply chain.

  • Compromised code: Compromised code is any code that has been leaked, accessed without authorization, or in any way manipulated or changed by a third party.

How to Perform an Application Security Risk Assessment (+ Checklist)

As cyber attacks and threats become more common, it’s important to assess your application security throughout the entire DevOps process—instead of restricting it to just  the beginning or end. Not only does this help your team move faster, but an application security risk assessment also protects your business better. Committing to the key tenants of DevOps agility and security is critical to the overall integrity and security of your software. 

These assessments can help identify weak points and allow you to course-correct before they’re discovered by malicious actors. Every software security risk assessment has four key phases: 

1. Identification

To start your security risk assessment, you must first identify all of the applications and all of the information stored across your organization that needs to be secure. This includes in-house trade secrets and intellectual property, like code and software, along with third-party vendor information. It also includes data like client and customer personally identifiable information (PII), and any other sensitive data. 

2. Assessment

Once you have an exhaustive list of all of your data and applications, you should assess any potential risks or threats to that data. Be aware of vulnerabilities that allow for malicious activity, but this is also a good time to consider other risks that can compromise the overall health of your applications and data. Hardware failure, like a faulty server, or human error, like the deleting of a file, can be just as catastrophic to a functioning application as a hacker.  Similarly, unexpected forces of nature, like hurricanes or floods, can pose a risk depending on your production hosting and backup locations. 

3. Mitigation

After completing your assessment, plan and implement necessary steps to remove or mitigate your application security risks as much as possible. Ensure that all of your applications are compliant with your latest relevant cybersecurity frameworks and, regulatory requirements. Evaluate and assess the full impact of recommended mitigation, including cost, organizational changes, operational load, and feasibility.

4. Prevention

Once all of the possible security risks have been mitigated, take all available steps to prevent any cybersecurity threats in the future. Create an incident response plan in case of attack, develop a protocol around assessing security threats regularly, and train all necessary team members to ensure your organization stays vigilant and compliant. Consider leveraging DevOps security tools to increase security at every stage of your SDLC.

Assessing cyber risk and vulnerabilities is vital to ensuring the cyber security of your organization. Plan to perform risk assessments regularly to minimize your exposure and keep your software secure. Use a security risk assessment checklist to streamline and standardize the process. This will allow you to proactively address security issues as they are identified—instead of only at the end of the process—to accelerate secure development and make your team more agile and effective. Here are several terms to keep in mind along the way:

Key Terms

  • Application risk assessment: An application risk assessment involves evaluating and determining the level of security risk tied to an application throughout the software development lifecycle.

  • Web application risk assessment: Similar to an application risk assessment, a web application risk assessment is evaluating and determining the level of risk tied to a web application and the various stages of its development.

  • Application security risk assessment checklist: An application security risk assessment is a documented process for identifying, assessing, tracking, and managing the potential risks to an application.

  • Application security risk rating: Based on your application risk assessment, applications are given a rating that typically falls into one of five risk levels: critical, important, strategic, internal, or general.
Application security requirements:
  • OWASP testing checklist: To help teams keep their software supply chain secure, OWASP has created a testing checklist to help identify and resolve issues. 

  • SDLC security audit: An SDLC audit is when you evaluate and identify any vulnerabilities within your software development process and take steps to mitigate potential risks.

  • Network security controls: There is a wide range of network security controls that can be grouped into three main categories: technical, administrative, and physical. 

  • Cybersecurity compliance: If you maintain cybersecurity compliance, your software supply chain adheres to the recommended standards and requirements of a particular agency, like OWASP or NIST.

How to Secure Your Software Supply Chain

When securing your software supply chain, it can be a challenge to know where to start. Instead of adding security checks at the beginning or end of the process, it’s vital to include them at every step of the software development process to best address the multitude of potential vulnerabilities and risk that can compromise your applications. 

Take these 10 steps to effectively secure your SDLC:

  1. Get visibility across your software supply chain.
    Before you begin, you should assess your software supply chain from start to finish. Take an inventory of all code, applications, vendors, and people who have access, and evaluate the entire system from beginning to end. This will ensure you’re looking at the software supply chain holistically instead of in operating siloes.

  2. Evaluate your SDLC systems and pipelines.
    You should evaluate all of the components within the software development process that need to be secured. With today’s continuous software release processes, there will be multiple raw materials, base libraries, third-party packages, and other elements within your software supply chain that can introduce vulnerabilities and risk. Try mapping your entire pipeline—including all entry points and connections—to best assess your potential risk.

  3. Eliminate user and process workarounds/bypasses.
    It’s not uncommon for application developers to employ workarounds that bypass security measures, and developers may also skip certain security tests in the interest of faster development. While this might make their day-to-day life easier, it compromises the security of the entire software supply chain. Take steps to prevent these types of shortcuts to keep your chain more secure.

  4. Take advantage of automated security tools.
    There are a few automated tools that help you effectively enhance the security of your software supply chain:

    SAST: Static Application Security Testing, or SAST, analyzes program source code to identify security vulnerabilities, such as SQL injection, buffer overflows, and XML external entity (XXE) attacks.
    SCA: Software Composition Analysis, or SCA, is a category of tools that analyze and manage the open-source elements of an application. You can leverage SCA tools to verify licenses and assess vulnerabilities of open-source components within your supply chain.
    DAST: Dynamic Application Security Testing, or DAST, is a testing method that evaluates software application security in production. It simulates malicious actors trying to break into the application to identify any flaws or vulnerabilities.

  5. Establish and monitor developer security hygiene.
    Because multiple components are connected in the software supply chain, a high degree of separation is vital to maintaining security. To ensure good code hygiene, you should also regularly scan all components for vulnerability and only use known components. You should also ensure that developers avoid common issues, such as cloning code repositories with anonymous access and hard coding passwords, access token and other secrets in source code.

  6. Use risk scoring and establish minimum security requirements for software releases.
    NIST has identified six key components for minimum security. Maintaining these requirements, can help you minimize vulnerabilities and risk, and keep your software supply chain secure against breaches.

    1. Threat modeling

    2. Automated testing
    3. Code-based analysis
    4. Dynamic analysis
    5. Check included software
    6. Fix bugs

  7. Implement a Software Bill of Materials (SBOM).
    Inventory all of the components of your supply chain and create a SBOM. Using an automated tool can help streamline this process and keep your SBOM up to date.

  8. Monitor privileges/access management.
    Keep track of who has access to all accounts. Always use the principle of least privilege, and regularly grant and revoke access based on necessity. This can help prevent attackers from gaining access and keep your system protected. If possible, leverage automated monitoring to track activity.

  9. Continuously monitor development partners and third parties.
    When using open source code, it’s important to keep track of your partners and vendors. Because vendor breaches can cause a devastating blow to the security of your software supply chain, you should always inspect their security documentation, request data breach history, and monitor for risks like exposed credentials to keep your systems secure.

  10. Establish an incident response plan.
    Even when you’re diligent, you need to think ahead and ensure you’re prepared in case a security breach arises. Identify where you’re most vulnerable, and define who needs to do what in the event of a breach. That way, you’re already prepared and can react quickly if and when a breach occurs.

Important terms to know:

  • Artifact Registry or Repository: A software repository is where you store all of your software packages. They typically hold containers that include everything you need to run a desired application.

  • Software Bill of Materials (SBOM): A software bill of materials, or SBOM, is an exhaustive list of all the components that are present in any software. It is designed to provide visibility into your application composition to help keep your software supply chains secure.

  • Software Composition Analysis (SCA): Software Composition Analysis, or SCA, is a category of tools that analyze and manage the open-source elements of an application.
  • Source code security: Source code security includes the policies and protocols put in place to protect in-house source code.

  • Source code management (SCMS): Source code management systems help you create a source code repository to track changes and help with version control.

  • Open-source dependencies: When creating an application, you can often use open source code instead of creating new code for common functions. This becomes an open source dependency within your software development.

  • Static application security testing (SAST): Static Application Security Testing, or SAST, analyzes program source code to identify security vulnerabilities.

Best Practices for Cyber Supply Chain Risk Management (C-SCRM)

To ensure your software supply chain is as secure as possible, follow a few best practices:

  • Deploy Organization-Wide C-SCRM. Supply Chain Risk Management, or C-SCRM, is a multidisciplinary approach to managing cyber threats to your software supply chain. Deploying it across your organization helps you create a framework that encourages a collaborative and unified approach across development teams. 

  • Create a Formal C-SCRM Program. Creating a formalized C-SCRM program empowers you to thoroughly identify and mitigate risks to your software supply chain. A formal program should include details like who is responsible for enforcing it, which tools are acceptable, and other protocols that relate to securing the software development lifecycle and ongoing cyber risk management.

  • Monitor Your Critical Components & Suppliers. Continually monitoring things like your CI/CD pipelines, repositories, development access, and integrations is vital to maintaining your cyber security. Continuous monitoring helps identify a breach as soon as it happens. 

  • Get to Know Your Supply Chain. Visibility into your cyber risk is vital to effective application security. Knowing every link in your software supply chain allows you to identify any possible vulnerabilities. Be sure to work only with trustworthy and transparent suppliers and require them to include information like defect rate tracking and root cause analysis methodology to better understand how they manage risk.

  • Focus on Security Collaboration with Outsourced Development Teams. Developing a relationship with your software suppliers makes it easier to communicate and share information which, in turn, helps you better manage software supply chain risk. Open communication makes it easier to identify and understand vulnerabilities earlier on in the process, helping you better protect your applications from security threats.
  • Make Development Teams Part of Resilience & Improvement Initiatives. Recruiting your application developers to have input into all parts of the process—including your resiliency plans—helps create a culture of application security that will help bolster your resistance against threats. It also ensures that if and when a threat is identified, your organization is better equipped to collaboratively mitigate the issue.

  • Continually Assess/Monitor Developer Relationships. Supplier assessments shouldn’t be one-and-done. Leverage an automated software solution that continuously monitors and identifies vulnerabilities across your software supply chain—including key suppliers—to help minimize risk.

  • Anticipate and Respond to Interruptions. It’s best to expect the unexpected. Things like changing suppliers or adding new open source components can impact the functionality and security of your applications, so it's best to plan for all possible scenarios.

Key terms to know:

  • Software supply chain management: Managing your software supply chain includes overseeing all of the links in the chain, from open source code to third-party vendors to in-house teams. Approaching supply chain management through a security lens can help protect your organization from malicious attacks.

  • Software supply chain risk management: This part of the management process involves identifying, mitigating, and managing all potential vulnerabilities and cyber risk associated with your software supply chain.

  • Software composition analysis (SCA): Software Composition Analysis, or SCA, is a category of tools that analyze and manage the open-source elements of an application. You can leverage SCA tools to verify licenses and assess vulnerabilities of open-source components within your supply chain.
  • Trusted software supply chain: A trusted software supply chain has verifiably secure components and will help you minimize vulnerabilities introduced into your applications.

  • Known components: Known vulnerable components are those that have vulnerabilities, included in lists and threat feeds like OWASP’s list of 10 application vulnerabilities.

  • Threat modeling: Threat modeling is the process of predicting, identifying, communicating, and understanding potential threats in your software supply chain.

  • Principle of Least Privilege (PoLP): This principle is a concept that users should only have access to a limited portion of the software supply chain to increase security, by limiting them to the least amount of access necessary to do their jobs.

  • Trusted development partner: Trusted development partners are third parties you have verified you can safely work with to provide code or applications to aid in your development process.

  • Incident response plan: An incident response plan identifies in advance those areas where your software supply chain might be vulnerable, and define what steps need to be taken and who needs to do what in the event of a breach. This will prepare you to react quickly to mitigate the threat and minimize potential damage.

What to Look for When Purchasing Software Supply Chain Security Solutions

While you can build your own software supply chain security, it is a complicated and time-consuming process that can often be streamlined with the support of a commercial application security solution. Creating home-grown solutions to secure your software supply chain can become a significant resource and maintenance burden—while commercial off-the-shelf (COTS), enterprise-level security solutions can be more rapidly adopted by in-house security teams in a short amount of time.

When selecting a software supply chain security solution, look for something that:

  • Works with your existing tools, people and application security workflows
  • Supports cloud, private cloud, and on-premises development environments, preferably agentless whenever possible
  • Minimizes operating complexity and is fast to implement

Enterprise software supply chain security solutions will help you protect your organization and give you added peace of mind–without the high cost of creating your own. It can help to score and compare the relative security of different teams, different pipelines, different systems, and infrastructure within your software development lifecycle, giving you insight into whether they're weak or strong from a security perspective.

Enterprise software supply chain security software also enables you to implement automated vulnerability detection and analysis. You can monitor for and enforce real-time, continuous regulatory compliance and while also benefiting from a unified application security dashboard. This layer on top of your existing security tools offers added visibility into end-to-end application vulnerability and risk management coverages and gaps. 

Most enterprise security software, like Legit Security, also seamlessly integrates with your existing security tools, scanners, and processes without any changes, making onboarding simple. That way, you can holistically score and monitor risks in real time across your software supply chain.

After choosing the right vendor, you’ll be able to keep your focus on managing the security issues and vulnerabilities that matter most—all while the software continuously identifies and helps mitigate vulnerabilities across your people, pipeline, code, and SDLC systems and infrastructure. This frees up your application development teams to focus on application features and innovation, instead of getting tied up by tedious and/or time consuming security work.

Important terms to know:

  • Software supply chain security: Software supply chain security includes the monitoring and managing of vulnerability and risks that have the potential to impact your software supply chain.

  • Software supply chain security company: These third-party companies help you monitor your software supply chain for vulnerabilities and risk to keep it more secure. 

  • Cloud-oriented software supply chain security: Cloud-oriented software supply chain security solutions help monitor and protect cloud components of the software supply chain against security threats. 

  • Open-source management software supply chain security: This type of security identifies, analyzes and continues to monitor any vulnerabilities associated with open-source elements deployed in your software supply chain.

  • Agentless software supply chain security: Agentless security solutions use APIs and access tokens to monitor your software supply chain automatically—without the need to deploy software or agents.

  • Supply chain security certification: Certifications, like ISO 28000, demonstrate a certain level of knowledge, commitment, and skill in software supply chain management.

  • Security incident reporting: Incident reporting is used to document the details of any security breach. It typically lists detailed information about what happened, what steps were taken to mitigate the risk, and the outcome of the incident. 

  • Compliance frameworks: Compliance frameworks are guidelines that government and other organizations put into place to outline mandatory requirements and recommendations for process, protocols, and best practices when it comes to software supply chain security.

Protect Your Business & Boost Your Software Supply Chain Security Today

Understanding your software supply chain is the first step toward effectively securing it. Keeping your software supply chain protected is a vital component to keeping internal information and sensitive customer data secure. As cyber threats and data breaches become more common, organizations must take action to assess and mitigate risk before it happens. When it comes to software security, a proactive approach is far more effective than a reactive approach.

After completing a thorough risk assessment of their software supply chain, you’ll have a better idea of your application vulnerabilities—which makes it possible to better secure your software development lifecycle. But you don’t have to do it alone. Software supply chain security solutions are designed to help businesses like yours continuously monitor for vulnerabilities and other threats. Choosing the right partner can help your teams focus on what matters most to their specific roles in the organization—instead of spending all of their time mitigating risk.

Take the first steps toward finding the right software supply chain security solution today. 

Secure Your Software Pipeline

Share this guide

Book a 30 minute demo including the option to analyze your own software supply chain, if desired.