Our world runs on software. From mobile apps to connected devices to industrial systems, we depend on vast quantities of code to get things done. Most of the code companies develop originate from the outside, it's mainly commercial third-party and open-source code. Organizations are expected to take responsibility for their code. Still, they depend on vendors and open-source projects to vet and secure all software components that they integrate, and it's challenging for them to know with complete certainty what they pass on to their customers. Exploiting trustworthy code and applications has become a new favorite for adversaries of all types, and organizations need to up their product security to protect themselves and their customers.
In this document we :
- Explain the threats facing software supply chains today and the adversaries behind them
- Review the challenges in identifying supply chain risks
- Discuss the most common attack vectors
- Provide practical advice on mitigating supply chain risks