Software supply chain management covers the processes, tools, and policies used to control the components flowing into your software. High-profile attacks like SolarWinds and Log4Shell show why visibility matters — SBOMs provide the component inventory that makes supply chain risk management actionable.
Software supply chain management is the practice of identifying, assessing, and mitigating risks across the entire chain of components, tools, and processes used to develop and deliver software. A software supply chain encompasses everything that contributes to a finished application: open source libraries, third-party services, build tools, package registries, CI/CD pipelines, and the people and processes that connect them. Managing this chain is essential because a vulnerability or compromise at any point can propagate downstream to every consumer of the software.
What Is a Software Supply Chain?
A software supply chain is the complete set of components, dependencies, tools, and workflows involved in creating, building, and distributing a piece of software. Just as a physical supply chain traces the path of raw materials through manufacturing to a finished product, a software supply chain traces the path of code from its origins to its deployment.
Modern applications are overwhelmingly assembled rather than written from scratch. Studies consistently show that 70-90% of a typical application consists of open source components drawn from public package registries like npm, PyPI, Maven Central, and crates.io. Each of these components has its own dependencies, creating a deep tree of transitive dependencies that most development teams never manually audit.
This reality makes software supply chain risk management (SSCRM) a critical discipline. If a single component in your dependency tree is compromised, vulnerable, or abandoned, the risk flows directly into your application and to your users.
Chain of Custody in Software
Chain of custody is a concept borrowed from forensics and physical supply chains. In the software context, chain of custody refers to the documented trail that records who created, modified, built, and distributed each component in a software product. A robust chain of custody answers questions like:
- Where did this component originate?
- Who authored and maintained it?
- Was it modified between the source repository and the package registry?
- Was the build process reproducible and tamper-evident?
Software Bills of Materials (SBOMs) provide the component-level inventory that underpins chain of custody. Frameworks like SLSA (Supply-chain Levels for Software Artifacts) and in-toto add attestation layers that cryptographically verify each step in the build process.
Major Software Supply Chain Attacks
Several high-profile incidents have demonstrated the consequences of supply chain compromise.
SolarWinds (2020)
Attackers compromised the build system of SolarWinds’ Orion IT monitoring platform, injecting malicious code into a routine software update. Approximately 18,000 organizations, including U.S. government agencies, installed the compromised update. The attack was attributed to a state-sponsored actor and went undetected for months. It demonstrated that compromising a single widely-used vendor can provide access to thousands of downstream organizations.
Log4Shell (2021)
CVE-2021-44228, known as Log4Shell, was a critical remote code execution vulnerability in Apache Log4j, a ubiquitous Java logging library. The vulnerability affected millions of applications worldwide. Organizations without component inventories struggled for weeks to determine whether they were affected. This incident became the single most cited argument for SBOM adoption: organizations with SBOMs could identify affected systems in minutes.
XZ Utils Backdoor (2024)
CVE-2024-3094 revealed a deliberately planted backdoor in the XZ Utils compression library, a component present in virtually every Linux distribution. A malicious contributor spent years building trust in the project before inserting the backdoor. This attack showed that supply chain risks include not just accidental vulnerabilities but intentional sabotage through social engineering of open source maintainers.
Common Attack Vectors
| Attack Vector | Description | Example |
|---|---|---|
| Build system compromise | Injecting malicious code during the build/CI process | SolarWinds |
| Dependency confusion | Publishing malicious packages with names that overlap internal packages | Multiple incidents across npm, PyPI |
| Typosquatting | Publishing packages with names similar to popular libraries | Thousands of examples across registries |
| Maintainer compromise | Gaining control of a legitimate package through social engineering | XZ Utils |
| Vulnerable dependency | Exploiting a known vulnerability in a widely-used component | Log4Shell |
Software Supply Chain Risk Management Frameworks
Several frameworks provide structured approaches to managing software supply chain risk.
NIST C-SCRM (SP 800-161 Rev 1)
NIST SP 800-161 Rev 1 (“Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”) provides the most comprehensive federal guidance on supply chain risk. It builds on the NIST SP 800-53 control framework, particularly the SR (Supply Chain Risk Management) family, and provides detailed practices for identifying, assessing, and mitigating supply chain risks throughout the system development life cycle.
Executive Order 14028
Executive Order 14028 (“Improving the Nation’s Cybersecurity”, 2021) directed federal agencies to enhance software supply chain security, including requiring SBOMs from software vendors and establishing the NTIA minimum elements for SBOM content.
EU Cyber Resilience Act
The EU Cyber Resilience Act (CRA) requires manufacturers of products with digital elements to identify and document vulnerabilities and components, including providing SBOMs. The CRA makes software supply chain transparency a legal obligation for products sold in the EU market.
SLSA Framework
SLSA (Supply-chain Levels for Software Artifacts) is a framework from the OpenSSF that defines three levels of build security maturity in the current v1.0 specification. Each level adds protections: from documenting build provenance (Level 1) through using a hosted build platform (Level 2) to hardened, tamper-resistant builds (Level 3).
How SBOMs Support Supply Chain Management
An SBOM is the foundational tool for software supply chain visibility. Without knowing what components are in your software, you cannot assess supply chain risk. SBOMs support supply chain management in several ways:
-
Component visibility. SBOMs provide a complete inventory of every library, framework, and module in your application, including transitive dependencies that developers may not be aware of.
-
Vulnerability identification. Once you have an SBOM, platforms like sbomify and OWASP Dependency-Track can continuously match your components against vulnerability databases like the NVD and CISA KEV catalog.
-
License compliance. SBOMs document the license of each component, enabling automated detection of copyleft or restrictive licenses that may create legal obligations. See our GPL license guide for details on copyleft compliance.
-
Incident response. When a new vulnerability is disclosed, SBOMs allow you to immediately determine which of your products are affected, drastically reducing response time.
-
Regulatory compliance. Multiple frameworks now require or strongly recommend SBOMs, including EO 14028, the EU CRA, and FDA medical device guidance. See our compliance guide for a complete comparison.
To start generating SBOMs for your projects, see our language-specific SBOM guides covering Python, JavaScript, Java, Go, Rust, and more.
Best Practices for Software Supply Chain Security
-
Generate and maintain SBOMs. Automate SBOM generation in your CI/CD pipeline using tools like the sbomify GitHub Action. Keep SBOMs current with every release.
-
Monitor dependencies continuously. Do not rely on point-in-time audits. Use SBOM-based monitoring to catch newly disclosed vulnerabilities in your deployed components.
-
Verify component provenance. Use signed packages, verify checksums, and adopt frameworks like SLSA to ensure components have not been tampered with between source and deployment.
-
Minimize your dependency footprint. Fewer dependencies mean a smaller attack surface. Regularly review and remove unused dependencies. Prefer well-maintained libraries with active security response processes.
-
Pin and lock dependencies. Use lock files to ensure reproducible builds and prevent unexpected dependency updates. Review dependency changes before merging.
-
Establish a vulnerability response process. Define SLAs for patching based on severity and exploitability. Monitor the CISA KEV catalog for actively exploited vulnerabilities in your stack.
-
Evaluate suppliers. For critical commercial dependencies, assess the vendor’s security practices, including whether they provide SBOMs and maintain vulnerability disclosure processes.
Frequently Asked Questions
What is software supply chain management?
Software supply chain management is the practice of identifying, assessing, and mitigating risks across the full chain of components, tools, and processes used to build and deliver software. It encompasses open source dependency management, build pipeline security, vendor assessment, and ongoing vulnerability monitoring. The goal is to ensure that every component in your software is known, trusted, and up to date.
What is a chain of custody in software?
Chain of custody in the software context refers to the documented, verifiable record of who created, modified, built, and distributed each component in a software product. It establishes trust by providing evidence that a component has not been tampered with between its source and its deployment. SBOMs, build attestations (like SLSA provenance), and code signing are the primary tools for establishing software chain of custody.
How do SBOMs help with supply chain security?
SBOMs provide the component-level visibility that is the foundation of supply chain security. Without knowing what is in your software, you cannot assess risk, identify vulnerabilities, or respond to incidents. SBOMs enable automated vulnerability scanning, license compliance checking, and rapid incident response when new vulnerabilities like Log4Shell are disclosed. They are required or recommended by most major compliance frameworks.
What is the NIST risk management framework for supply chains?
NIST publishes several frameworks relevant to supply chain risk management. NIST SP 800-161 Rev 1 is the primary guidance for cybersecurity supply chain risk management (C-SCRM). NIST SP 800-53 Rev 5 includes the SR (Supply Chain Risk Management) control family with specific controls for provenance (SR-4) and supply chain processes (SR-3). These frameworks are increasingly referenced in procurement requirements and compliance obligations.
What are the biggest software supply chain risks?
The most significant risks include: vulnerable open source dependencies (the most common attack surface), compromised build systems (as in SolarWinds), malicious packages in public registries (typosquatting and dependency confusion), and social engineering of open source maintainers (as in XZ Utils). Transitive dependencies, which are pulled in indirectly and often unreviewed, represent a particularly underestimated risk.
Found an error or typo? File a PR against this file.