Developing applications and working within the software supply chain requires hard skills such as coding and proficiency in programming languages. However, protecting the software supply chain also requires some softer skills and an openness to strategies and tools that will strengthen your security posture. In this two-part series, we will discuss these considerations and how they support a holistic approach to application security and software supply chain security.

The latest BSIMM report, now in its 14th iteration, contains information from more than 130 companies in eight verticals about what’s working, what isn’t, what’s changing about the risks and threat landscapes they’re facing, and how they’re responding to those changes. This annual report by the Synopsys Software Integrity Group helps organizations maximize the benefits and minimize the pain of a world run by software.

Forescout Vedere Labs has identified a total of 21 new vulnerabilities affecting Sierra Wireless AirLink cellular routers and some of its open source components such as TinyXML and OpenNDS, which are used in a variety of other products.

Over sixty credit unions across the United States have been taken offline following a ransomware attack at one of their technology providers - demonstrating once again the damage that can be caused by a supply-chain attack. There are a few moving parts here, so here’s a quick summary: Trellance - A provider of solutions and services used by credit unions, and the parent company of FedComp. FedComp - a provider of software and services that enable credit unions to operate around the world.

Recently, the Microsoft Threat Intelligence Team has discovered a supply chain attack executed by North Korean attackers. The prime victim of this attack was CyberLink, a multimedia software company headquartered in Taiwan. This strategic infiltration in the CyberLink infrastructure impacted globally present customers, risking data integrity and confidentiality.

The software supply chain today runs differently than it did just five years ago. The number of available tools, languages, and packages used have exploded. Further, the growing mix of OSS packages puts organizations at risk of outdated software, untracked dependencies, and non-compliant licenses. To add to the chaos, teams are now increasingly distributed and greater in number. All of this dramatically increases the number of inputs within the software supply chain.

The digital ecosystem is an intricate web of interconnected technologies and processes. Within this network, supply chain cybersecurity has emerged as a critical component to safeguard against the growing threat landscape. As supply chains become increasingly digital, they also become more vulnerable to cyber attacks that can disrupt operations and compromise sensitive data.

As you begin developing your application to get services in front of your customers, you will notice a lot of processes and contributors are involved—from development to production. All of these processes and people are part of the “software supply chain.” It goes without saying that your software supply chain plays a crucial role in ensuring your business’s success.

In a supply chain attack, hackers aim to breach a target's defenses by exploiting vulnerabilities in third-party companies. These attacks typically follow one of two paths. The first involves targeting a service provider or contractor, often a smaller entity with less robust security. The second path targets software developers, embedding malicious code into their products. This code, masquerading as a legitimate update, may later infiltrate the IT systems of customers.