The escalation of international legislative interest in regulating the software supply chain has led to an increasing likelihood that tools such as software bills of materials (SBOMs) and AppSec solutions will become essential for companies doing business in the public sector or in highly regulated industries. However, the process of building and enforcing effective regulations presents challenges as well.

In the face of increasingly impactful malicious attacks, governments of leading economies have turned their attention to the software supply chain security. Regulations like the EU’s Digital Operational Resilience Act (DORA) for financial institutions and the Cyber Resilience Act (CRA) for software and hardware providers Australia’s 2023-2030 cybersecurity strategy, and the U.S.

Software supply chain attacks, or digital supply chain attacks, have become increasingly prevalent over the last couple of years. According to a study by KPMG, 73% of organizations have experienced at least one significant disruption from a third-party in the last three years. What’s the best way to protect against potential software supply chain attacks? To get the answer, let’s define what those attacks are, how they happen, and how you can defend against them.

The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.

We’re currently seeing a concerted effort from malicious actors to attack the supply chain through intentionally malicious packages. Our recent research shows a 315 percent rise in the publication of malicious packages to open source registries such as npm and RubyGems between 2021 and the end of Q3, 2022; about 85 percent of those packages stole credentials. This trend requires an urgent shift from detection to prevention.

Generative AI is the technology of the moment, and is actually being hyped as providing transformational benefits for years to come, including when it comes to software supply chain security. This subset of AI uses machine learning algorithms to generate new data and content. Given the increasing importance of the software supply chain, it is critical to use every measure possible to secure it. But this is no easy feat—96% of scanned codebases contain open source.

Recent events, including the 2020 COVID-19 pandemic, shifts in demand, and labor shortages have shone a spotlight on supply chain resilience – or lack thereof. In response, business leaders recognize that becoming more resilient is a necessity and are looking at strategies for doing so. As a best practice, Gartner recommends that companies diversify their manufacturing networks, utilize regional or local supply chains, add buffer capacity, and more.

Imagine constructing a building without a blueprint or cooking a complex recipe without a list of ingredients. It would be a chaotic and inefficient process, right? The same principle applies to manufacturing and production. That's where the Bill of Materials (BOM) comes into play. In this article, we will explore the meaning, purpose, and diverse types of BOMs, illustrating how they serve as the foundation for seamless production processes.

Thanks to globalization and rapidly developing technology, enterprise involves more connections than ever before, and more connections means more risk in the supply chain. Supply chain risk extends past those suppliers with whom you’re doing business directly. Beyond your third-party suppliers are their suppliers, and the supply chain continues branching out from there. In today's connected world, organizations must not isolate their supply chain risk management.

By now we know that software supply chain security issues are plentiful. And perhaps you’ve (wisely) decided that it’s a good idea to secure your software supply chain…you just haven’t gotten around to dealing with it yet, given other organizational priorities. The more software you use, the more important it becomes to secure it. Software supply chain attacks are increasing, and there are major implications if you don’t.