What are the steps and things to consider in securing the software supply chain?

The key steps and systems that are relevant to software supply chain security are: 

• Development. The practices and systems used to write software, including the upstream libraries, developer tools, programming languages, and the developer workstations.
• The source code repository. The location where source code is stored and shared with other developers.
• The build. The process of converting the source code into a distributable form. This includes both the tools and the servers used to build the code.
• Publishing. The platform for sharing built code.
• Artifact repository. The location where built artifacts (often container images) are stored and shared with other developers.
• Deploying/consuming. Using software.

Considerations include:

• The SDLC from end to end to prevent attacks, vulnerabilities, and compromises. 
• Both the internal and external supply chains for your project or organization. 

It is not enough to just secure your internal systems, as many attacks find their way in through external open source and vendor dependencies you rely on.

‍

Where in the software supply chain (or SDLC) am I at risk for an attack?

This diagram represents a holistic view of the SDLC. Every arrow and box is a vector for attack to your software supply chain.

‍