A field guide to threat vectors in the software supply chain

Software isn’t developed in a vacuum. An entire ecosystem of components — the software supply chain — is involved in building, testing, and delivering software. This ecosystem offers fertile ground for developing new applications, with a wealth of open source packages, libraries, tools, and processes. However, there are significant challenges as well. The software supply chain is a complicated web of relationships, dependencies, and potential vulnerabilities that can be exploited by attackers. Recent high-profile incidents have highlighted the difficulty organizations face in keeping up with evolving security threats and changing compliance regulations, prompting them to reassess how they maintain software supply chain security.

Understanding the threats

Threats can infiltrate the software supply chain at four key points: through security vulnerabilities in the software's source code, vulnerabilities in dependencies like open source components, vulnerabilities in the software build pipeline, and insecure configurations post-release.

• Compromised source control: The source code is the foundation of the supply chain, and it is essential to ensure the source code’s security and integrity by closely managing who has access to the code and how changes to the code are reviewed and merged. If attackers gain unauthorized access to source code management (SCM) systems, they can take over source code repositories, impersonate users, and modify downstream aspects of the software build process, such as the CI/CD pipeline.
• Risky open source dependencies: Just as failing to manage the quality of goods used in a manufacturing process will jeopardize the quality of the final product, using open source code without validating the quality and security of that code can increase the attack surface and open the door to cyber attacks. Risky dependencies can either be unintentional flaws in third-party components that are found and exploited by attackers, or malicious code deliberately inserted by attackers into public libraries and open source software to gain access to downstream targets.
• Compromised build pipeline: The build pipeline is the assembly line of the software supply chain: where all the software components are assembled into a deployable package. If the build pipeline is compromised, attackers can inject malicious code into the build process and thereby distribute that code to downstream components of the software, including end users.
• Insecure web applications: Even without direct access to source code, dependencies, and build pipelines, attackers can still exploit weaknesses in an application’s design or security configurations.

Improve your security posture with zero trust

To improve software supply chain security, organizations must enforce zero trust principles by:

• Securing access to resources, including source code, with multi-factor authentication, authorization, and continuous validation of all human and machine identities within the environment.
• Verifying that no open source or other dependencies used in software contain known vulnerabilities.
• Preventing bad actors from gaining unauthorized access to build pipelines and rigorously testing configurations and APIs for weaknesses.

Strategies for securing the software supply chain

Ultimately, it’s essential to scrutinize everything and everyone — human, machine, open source components, or application configurations — for potential security threats. This guide will equip DevOps and security teams with the knowledge they need to understand the various types of attack vectors and identify steps to mitigate risks by establishing zero trust.

As you navigate through the guide, consider whether your organization is prepared to identify and address each type of supply chain attack vector — compromised source control, risky open source dependencies, compromised build pipelines, and insecure web applications — and evaluate how to incorporate software supply chain security into your development process, especially in the face of evolving security challenges and compliance demands.