CISO & CTO Guide to Supply Chain Security: Securing The Software Factory
You've likely heard a lot about software supply chain security. We've simplified it while going deep into the real threats facing your software supply chain.
Defining the Software Supply Chain
The software supply chain is everyone and everything that is involved in the development, testing, and deployment of your software artifacts.
Pillars of Supply Chain Risk
There are a number of critical components of your supply chain and your supply chain security must address these interconnected areas.
01
Your developers are now your direct targets
- Developer Account Compromises
- Insider Threat
- IP Theft and Credential Theft
02
Your own code is a critical attack surface
- Writing Insecure Code, Designing Insecure Systems
- Inserting Malicious Code into a Project Intentionally
- IP Theft
- Credential Theft
03
Open source and third-party software can create security issues
- License Risk
- Known Vulnerabilities
- Unmaintained, End-of-Life or Poor Quality Software
- Malware in OSS Packages
04
This maybe one of your biggest blindspots
- Compromising a misconfigured source control system
- Compromising the source control system through extensions
- Compromising the Build & Deployment Systems through extensions
- Compromising the Artifact Registry
How AI impacts your software supply chain
The use of coding assistants/copilots certainly increases the volume of code being produced, and, at least for now, produces less secure code. In fact, a recent Stanford University study found "participants who had access to [the] AI assistant were more likely to introduce security vulnerabilities for the majority of programming tasks, yet were also more likely to rate their insecure answers as secure compared to those in our control group."
When it comes to use of LLMs, they lack context about the overall application causing code snippets to incorporate bold assumptions and they often lack system threat model thinking in their design. Proprietary IP can also be placed into LLM's, which raises questions about whether this IP can be served to other users, which happened at Samsung in 2023. Taken together, higher volume of code + more security issues per line of code = more vulnerabilities overall.
AI Components
Real World Supply Chain Attack
The Codecov supply chain attack from a few years ago. The Codecov bash uploader script was modified by attackers to exfiltrate CI environment variables which often contain secrets. This allowed attackers to steal secrets from Codecov customers.
In February 2025, the Bybit crypto SAFE wallet hack resulted in a $1.4B loss, representing the biggest heist in history. This hack started with the compromise of a developer through a phishing or social engineering tactic. The hackers used the developer's compromised machine to inject malicious source code into the repository, conducted the attack, then removed the code.
The near miss of xz-utils which could have been the biggest cyber breach in history had it gone unnoticed. Jia Tan, the "name" of the developer (that was never caught) - spent 2 years working positively on an important, and widely used project, before inserting malicious code into it.
Understanding the Categorical Threats to Your Software Factory
It intends to help you learn about the risks, both visible and hidden, to critical components of your supply chain, what you can do to protect your organization from these existing and emerging supply chain threats, and provides resources for extended learning.