What is a software supply chain?

Just as the supply chain for a manufactured good is all of the components that go into producing the final product, the supply chain for software includes all of the libraries, languages, and tools that are used to produce the final software product. In modern application languages, the supply chain can include dozens of components and extend several layers deep.

‍

What is software supply chain security?

Software supply chain security is protecting every component and process as organizations develop, distribute and deploy software. Essentially, it is cybersecurity applied to the system delivery lifecycle (SDLC). Every stage of software development – from coding and building to production, deployment and maintenance – is involved and needs to be secure. Any weak point or vulnerability in the chain can become compromised. The SDLC is broad in scale, which makes defining the boundaries of what is and isn’t software supply chain security complicated. To simplify it, you can ask the question, “Does this affect the development, delivery, or consumption of software systems?” If the answer is yes, it falls under software supply chain security.

‍

What are the main challenges in securing the software supply chain?

The foundational challenge in securing the software supply chain is observability. You can’t secure what you can’t see. The first part of this foundational challenge is gaining visibility into the pieces of the software supply chain — understanding the dependencies and how they relate to each other. Then you have to know about those dependencies, including the vulnerabilities associated with each of the package versions. But having that information isn’t enough. The final challenge is being able to answer important questions from the data you have. For example “do we have any packages affected by a specific vulnerability?” or “how many places are we using this abandoned library?”

‍

How do software supply chains work with open source projects?

Open source projects present an interesting twist on traditional supply chain concepts. The typical supply chain is based on contractual relationships between each link in the chain. These relationships include requirements for security, functionality, support, and so on. But open source projects are typically provided as-is and without any contracts. Often, open source developers don't even know someone is using the project unless they file a bug report or feature request. This puts the onus on the end user to ensure the project they're using meets their security needs.