When we talk about software supply chain security, we are talking about the process of identifying, analyzing, monitoring, and mitigating security risks, vulnerabilities, and compliance issues posed by third-party software vendors within an organization’s supply chain.
Poll says :
In an average application, 85-90 percent of the codebase was open source.
99 percent of codebases contain at least some open source code and 75 percent used at least one vulnerable open source component.
74 percent, of the applications with vulnerable libraries can be fixed by just updating the libraries
Software Supply Chain Attacks : A technique in which an adversary slips malicious code or even a malicious component into a trusted piece of software or hardware.
Dependency Typosquatting : Typosquatting attacks take place when bad actors push malicious packages to a registry with the hope of tricking users into installing them.
Dependency Confusion : A Dependency Confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file of the same name from an internal repository.
Federal executive order to all open source software operator, developer to have SBOM in order to subsidize software suplly chain attacks like Solarwinds.
SBOM : Software Bill of Materials is a list of the “ingredients” that make up a piece of software, including libraries and modules — whether they are open source or proprietary, or free or paid — as well as information about the development tools, and CI (continuous integration) environmental variables used during the build process.