CISO & CTO Guide to Supply Chain Security: Securing The Software Factory

You’ve likely heard a lot about software supply chain security.
We’ve simplified it while going deep into the real threats facing
your software supply chain.

This guide, designed for CISOs and CTOs, is a crash course in understanding the categorical threats putting your software factory at risk. It intends to help you learn about the risks–both visible and hidden–to critical components of your supply chain, what you can do to protect your organization from these existing and emerging supply chain threats, and provides resources for extended learning.
Defining the Software Supply Chain-2

Defining the Software Supply Chain

The software supply chain is everyone and everything that is involved in the development, testing, and deployment of your software artifacts.

Note that in this definition we excluded the entire consumer side of the supply chain. In the case of a SaaS service or API service, this would be the runtime environment. For brevity and focus we’re narrowing in on the software factory vs. the operational nature of running a software product.

Pillars of Supply Chain Risk

There are a number of critical components of your supply chain and your
supply chain security must address these interconnected areas.
Developer Risks
Developer Risks

Your developers are now your direct targets

  • Developer Account Compromises
  • Insider Threat
  • IP Theft and Credential Theft
First Party Code Risk
First Party Code Risk

Your own code is a critical attack surface

  • Writing Insecure Code, Designing Insecure Systems
  • Inserting Malicious Code into a Project Intentionally
  • IP Theft
  • Credential Theft
Third Party Code Risk
Third Party Code Risk

Open source and third-party software can create security issues

  • License Risk
  • Known Vulnerabilities
  • Unmaintained, End-of-Life or Poor Quality Software
  • Malware in OSS Packages
Development Infra Risk
Development Infrastructure Risk

This maybe one of your biggest blindspots

  • Compromising a misconfigured source control system
  • Compromising the source control system through extensions
  • Compromising the Build & Deployment Systems through extensions
  • Compromising the Artifact Registry
How AI impacts your software supply chain-1

How AI impacts your software supply chain

The use of coding assistants/copilots certainly increases the volume of code being produced, and, at least for now, produces less secure code. In fact, a recent Stanford University study found “participants who had access to [the] AI assistant were more likely to introduce security vulnerabilities for the majority of programming tasks, yet were also more likely to rate their insecure answers as secure compared to those in our control group.” 

When it comes to use of LLMs, they lack context about the overall application causing code snippets to incorporate bold assumptions and they often lack system threat model thinking in their design. Proprietary IP can also be placed into LLM’s, which raises questions about whether this IP can be served to other users, which happened at Samsung in 2023. Taken together, higher volume of code + more security issues per line of code = more vulnerabilities overall.

Download the Guide

 

AI Components 2-2

AI Components

If your application leverages AI technologies and services (be it Generative/LLM or Predictive/ML), then you will want to consider AI specific risks. There are many AI risk models out there, but commonly referenced ones would be the OWASP LLM Top 10 and OWASP ML Top 10. Risks vary from attackers inserting bad data into the model, to prompt injection, to supply chain attacks on these models, and much, much more.

Real World Supply Chain Attack

Codecov Attack-1
Codecov Attack

Target: Build Tools

The Codecov supply chain attack from a few years ago. The Codecov bash uploader script was modified by attackers to exfiltrate CI environment variables which often contain secrets. This allowed attackers to steal secrets from Codecov customers.

Bybit Crypto Wallet Hack-1
Bybit Crypto Wallet Hack

Developer Account Compromise

In February 2025, the Bybit crypto SAFE wallet hack resulted in a $1.4B loss, representing the biggest heist in history. This hack started with the compromise of a developer through a phishing or social engineering tactic. The hackers used the developer's compromised machine to inject malicious source code into the repository, conducted the attack, then removed the code.

XZ-Utils Near Miss-1
XZ-Utils Near Miss

Trusted Contributor Attack

The near miss of xz-utils which could have been the biggest cyber breach in history had it gone unnoticed. Jia Tan, the "name" of the developer (that was never caught) - spent 2 years working positively on an important, and widely used project, before inserting malicious code into it.

Banner Graphic 3 
 
 

Secure Your Supply Chain

The software supply chain is complex. This guide breaks it down into fifteen distinct risk areas to be aware of and how they can be compromised. Knowing what needs protecting is the first step in securing your software factory.   

Download the Guide