Chapter 2. Software Supply Chain Challenges

The software supply chain encompasses all components and processes needed to deliver the end product: a deployed application. These components and processes include your code, third-party dependencies, scripts, tests, environment variables, IDEs, plug-ins, source code repositories, CI/CD tools, and of course package repositories. Like any other supply chain, the software development pipeline consumes raw materials, applying processes and techniques to turn them into end products. Every point in the supply chain can be vulnerable to flaws, mistakes, or threats. Often, the majority of an application comprises open source or proprietary libraries or packages that are themselves the output from another supply chain. All of these interconnected pipelines are potentially vulnerable. Microservices, which are built and packaged separately, each have their own dependencies. As a result, the number of raw materials a modern software supply chain uses from different sources can be vast. The complexity that comes from this interdependency opens up possibilities for numerous effective attack vectors.

Protecting a software development pipeline must begin with knowing the origin and provenance of the raw materials—especially the libraries and packages that come from elsewhere. The next section discusses a few types of risks that the modern software supply chain must anticipate and manage.

Risks Due to Complexity

The supply chain is concerned with ...