In many ways, the software supply chain is similar to that of manufactured goods, which we all know has been largely impacted by a global pandemic and shortages of raw materials.
However, in the IT world, it is not shortages or pandemics that have been the main obstacles to overcome in recent years, but rather attacks aimed at using them to harm hundreds or even thousands of victims simultaneously. If you’ve heard of a cyber attack between 2020 and today, it’s likely that the software supply chain played a role.
When we talk about an attack on the software supply chain, we are actually referring to two successive attacks: one that targets a supplier, and one that targets one or more downstream users in the chain, using the first as a vehicle.
In this article, we will dive into the mechanisms and risks of the software supply chain by looking at a typical vulnerability of the modern development cycle: the presence of personal identifying information, or “secrets”, in the digital assets of companies. We will also see how companies are adapting to this new situation by taking advantage of continuous improvement cycles.
The supply chain, at the heart of the IT development cycle
What is the supply chain?
Today, it is extremely rare to see companies producing software 100% in-house. Whether it’s open source libraries, developer tools, on-premise or cloud-based deployment and delivery systems, or software-as-a-service (SaaS) services, these building blocks have become essential in the modern software factory.
Each of these “bricks” is itself the product of a long supply chain, making the software supply chain a concept that encompasses every facet of IT: from hardware, to source code written by developers, to third-party tools and platforms, but also data storage and all the infrastructures put in place to develop, test and distribute the software.
The supply chain is a layered structure that allows companies to implement highly flexible software factories, which are the engine of their digital transformation.
images from Hacker News