Knowledge Tree
software supply chain
Also known as: software supply chain security, software supply chain management
Facts (62)
Sources
bureado/awesome-software-supply-chain-security - GitHub github.com 16 facts
claimThe 'awesome-software-supply-chain-security' repository defines a high-level approach to software supply chain security where different actors contribute attestations to elements in the chain, which are then emitted, augmented, and verified.
claimThe Nix ecosystem faces challenges regarding bitwise reproducibility claims, which are examined in the context of software supply chain security.
referenceGrafeas/Kritis is a solution for securing software supply chains for Kubernetes applications by enforcing deploy-time security policies.
claimThe 'awesome-software-supply-chain-security' repository identifies subjects (dependencies), categories of facts (licenses or vulnerabilities), and the roles of identity, provenance, and build systems as key components of the software supply chain security domain.
referenceAqua Security's chain-bench is an open-source tool designed to audit software supply chain stacks for security compliance by implementing checks for CIS 1.0.
referenceThe snyk-labs/snync tool is designed to mitigate security risks associated with Dependency Confusion in software supply chains.
referenceThe repository 'bureado/awesome-software-software-supply-chain-security' on GitHub provides a curated list of resources, reading materials, and tools related to software supply chain security.
referenceThe 'Software Supply Chain Toolkit' by Jetstack is a resource for managing software supply chain security.
referenceSemgrep is a static analysis tool used to detect dependency acquisition in software supply chains.
claimThe buildsec/vendorme tool improves developer workflows by providing a centralized location to manage vendored dependencies and ensures they are validated to improve software supply chain security.
referenceThe 'chainguard-dev/ssc-reading-list' repository on GitHub serves as a compilation of reading materials and context for software supply-chain security.
referenceChainloop is an open source software supply chain control plane that acts as a single source of truth for artifacts and provides a declarative attestation crafting process.
referenceThe SecureStackCo/visualizing-software-supply-chain project provides a visual taxonomy and contextual mapping of software supply chain components organized across 10 stages: People, Local Requirements, Source Code, Integration, Deployment, Runtime, Hardware, DNS, Services, and Cloud.
referenceAppThreat developed 'rosa', an experimental tool for software supply chain security.
claimVMware Tanzu Application Platform includes new capabilities designed to secure the software supply chain.
referenceThe Atlantic Council Software Supply Chain Security dataset is an interactive dashboard and downloadable dataset containing over 250 software supply chain attacks and disclosures, which can be filtered by scale, timing, actors, codebase, and attack vectors.
State of the Software Supply Chain Report | 10 Year Look - Sonatype sonatype.com 11 facts
perspectiveThe software supply chain has reached a critical point where publisher resources cannot keep pace with the rising volume of vulnerabilities, necessitating improved automation, tooling, and support for maintainers to prevent increasing delays.
claimThe year 2017 marked the emergence of the first targeted attacks on the software supply chain using open source malware, as reported by Sonatype's State of the Software Supply Chain reports.
claimThe mean time to remediate (MTTR) vulnerabilities in open source software has shown a troubling upward trend over the past decade, indicating that response times for severe security issues are worsening as software supply chain complexity increases.
claimAttackers have shifted their focus from directly targeting organizations to exploiting vulnerabilities within the broader software supply chain and its downstream consumers.
claimSonatype has been advocating for better software supply chain controls since 2014, noting that the proposed Royce bill could have significantly impacted the industry's preparedness if it had passed at that time.
measurementBetween 2019 and 2024, 704,102 malicious packages were discovered in the software supply chain.
claimThe increasing mean time to remediate vulnerabilities in open source projects is driven by the growing complexity of software supply chains and the increased interconnectedness of projects, which rely on multiple layers of dependencies.
claimThe growth of CVE (Common Vulnerabilities and Exposures) reports has shown a massive uptrend beginning in 2016, which directly correlates to the increased mean time to remediate (MTTR) observed in the software supply chain.
referenceThe 10th Annual State of the Software Supply Chain Report by Sonatype examines four key dimensions of the software supply chain: attackers, publishers, consumers, and regulators.
measurementThe number of attacks detected in the software supply chain doubled in 2024 compared to the previous period.
claimThe software supply chain has evolved from a niche attack method into a significant cybersecurity threat over the past decade, driven by the interconnectedness of modern software ecosystems and increased reliance on open source components.
Open source software best practices and supply chain risk ... - GOV.UK gov.uk Mar 3, 2025 10 facts
claimThe most important aspects of Open Source Software (OSS) management and community engagement are establishing metrics for trustworthiness and maturity, understanding the software supply chain and dependencies, continuously monitoring for vulnerabilities and licensing issues, and engaging with the community through contributions.
claimMishra (2023) identified that a lack of visibility into the software supply chain puts organizations at risk of 'dependency hell,' where the number of integrated dependencies grows as the system grows.
claimSBOM data fields must be standardized and contain essential information on each component to ensure they can be easily identified throughout the software supply chain and linked to other valuable data sources.
accountThe Equifax data breach (Fruhlinger, 2020) and the Log4j vulnerability (Gallo, 2022) serve as examples of security incidents resulting from risks associated with software supply chains.
claimContinuous monitoring of the software supply chain is necessary to identify vulnerabilities, licensing issues, and new versions of open source software components, as the lack of such monitoring increases the risk of data breaches or security incidents.
accountWilliams (2016) documented the 'left-pad' incident, where the withdrawal of a minor package from the npm package manager caused widespread failure in numerous projects, illustrating the risks of poor software supply chain visibility.
perspectiveThe authors of the GOV.UK report believe that their recommended best practices will reduce the risk of using open source software, improve the quality of components, and enhance the security of the software supply chain for organizations of all sizes.
procedureThe GOV.UK report recommends that organizations manage open source software by: (1) establishing an internal open source software policy, (2) creating a Software Bill of Materials (SBOM), (3) continuously monitoring the software supply chain, and (4) promoting engagement with the open source software community.
claimSoftware composition analysis (SCA) tools can detect security vulnerabilities, licensing problems, and outdated library versions within software supply chains as noted by Molin et al. (2023).
claimSoftware composition analysis (SCA) tools provide significant benefits to organizations by automating the process of monitoring software supply chains, thereby saving time and resources according to Ombredanne (2020).
A Mixed-Methods Study of Open-Source Software Maintainers On ... arxiv.org Feb 3, 2025 7 facts
referenceMarcel Fourné, Dominik Wermke, William Enck, Sascha Fahl, and Yasemin Acar authored 'It’s like flossing your teeth: On the importance and challenges of reproducible builds for software supply chain security', published in the 2023 IEEE Symposium on Security and Privacy (SP), pages 1527–1544.
claimSpecific challenges for OSS maintainers regarding the software supply chain include the burden of keeping updated with dependencies and the latest vulnerabilities, as well as dealing with unmaintained dependencies or delays in pushing vulnerability fixes.
procedureDuties related to the software supply chain in OSS include adopting upstream dependencies, tracking the status of dependencies, and updating dependencies in a timely manner, such as when a vulnerability is patched.
claimProminent vulnerability management challenges faced by OSS project maintainers include negative CVE relationships and vulnerability scoring, which may lead to the undermining or misreporting of critical vulnerabilities and the pollution of the software supply chain with inconsistencies.
referenceEric O’Donoghue, Ann Marie Reinhold, and Clemente Izurieta assessed the security risks of software supply chains using Software Bill of Materials (SBOM) in a 2024 study published in the IEEE International Conference on Software Analysis, Evolution and Reengineering - Companion (SANER-C).
referenceChinenye Okafor, Taylor R. Schorlemmer, Santiago Torres-Arias, and James C. Davis analyzed software supply chain security by establishing secure design properties in a 2022 study published in the Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED’22).
claimGeneral vulnerability management challenges faced by OSS maintainers include trusting the software supply chain, lack of time and resources, and issues with Common Vulnerabilities and Exposures (CVEs).
Cyber Insights 2025: Open Source and Software Supply Chain ... securityweek.com Jan 15, 2025 6 facts
claimThe software supply chain is vulnerable due to poor governance by organizations using open source and a lack of transparency for consumers purchasing products that rely on open source components.
claimOpen Source Software will continue to be a risk to software supply chain security because software vendors will always require OSS libraries to build their products.
quote“This all points to more regulation and compliance around software supply chain security in 2025, including further developments of EO14028 when it comes to mandatory SBOM implementation,” says Mistry.
measurementResearch cited by Nick Mistry of Lineaje found that an average of 250 components with unknown origins exist within every application, creating significant points of exposure for the software supply chain.
claimThreat groups are dedicating significant resources and advanced techniques to exploiting weaknesses within the software supply chain.
referenceThe tea protocol is a decentralized technology framework that uses blockchain technology and TEA tokens (an ERC-20 token) to enhance the sustainability and integrity of the software supply chain by supporting developers and rewarding vulnerability reporting.
Understanding security challenges in the software supply chain ... pmc.ncbi.nlm.nih.gov Mar 5, 2026 2 facts
procedureThe study titled 'Understanding security challenges in the software supply chain' utilizes the DEMATEL method to identify and analyze major challenges that weaken software supply chain security.
claimThe study titled 'Understanding security challenges in the software supply chain' identifies and analyzes the major challenges that weaken software supply chain security.
Open Source Software: What is OSS? - Sonatype sonatype.com 2 facts
claimThe Sonatype platform helps organizations automate risk mitigation without slowing down development, ensuring speed and compliance across the software supply chain.
claimPolicy enforcement at the point of consumption helps businesses maintain a clean, traceable software supply chain and reduce exposure to supply chain attacks and license violations.
Cybersecurity Trends and Predictions 2025 From Industry Insiders itprotoday.com 2 facts
claimAttackers are adopting a 'long-con' approach to the software supply chain, where they build a false reputation as good-faith actors over a long period rather than executing immediate point attacks.
claimAttackers may compromise or impersonate reputable maintainers to infiltrate the software supply chain and distribute malware through trusted sources.
What Is Open Source Software Licensing? - Coursera coursera.org Dec 9, 2025 1 fact
claimSonatype is a tool that provides software supply chain security, including vulnerability protection and open source risk management.
Top Five Challenges in Software Supply Chain Security researchgate.net 1 fact
claimThe study titled 'Top Five Challenges in Software Supply Chain Security' quantitatively validates the cascading effects of security risks in multi-layer supply chain networks.
Unknown source 1 fact
claimProviding a holistic and effective security solution for the software supply chain requires that the security state and features of the supply chain are well understood.
Cyber Insights 2025: Open Source and Software Supply Chain ... hendryadrian.com Jan 15, 2025 1 fact
referenceSecurityWeek's Cyber Insights 2025 report analyzes expert predictions regarding the evolving cybersecurity landscape, specifically focusing on Open Source Software (OSS) and the software supply chain.
(PDF) Towards Understanding and Securing the OSS Supply Chain researchgate.net 1 fact
claimThe burden of secure software supply chain management on developers and projects is increasing due to the rising number of software bugs and security vulnerabilities.
[PDF] A Qualitative Study on Security Challenges of the Open Source ... teamusec.de 1 fact
claimWell-meaning changes to Open Source Software (OSS) can be perceived as threats to the software supply chain and can damage trust in the software.