The vulnerabilities perforating the global supply chain have remained dormant for many years. But the violent disruptions of the pandemic finally pushed these risks to the surface, revealing the detrimental impacts of their exploitation to the world.

The White House and the Executive Office of the President have just issued a memorandum for the heads of U.S. government and federal executive departments and agencies for enhancing the security of the software supply chain through secure software development practices.

Code that an organization’s developers create is only the beginning of modern software development. In fact, first-party code is likely to be only a small proportion of an application – sometimes as little as 10% of the application’s artifact ecosystem. An enterprise’s software supply chain is made of many parts, from many sources: open source packages, commercial software, infrastructure-as-code (IaC) files, and more.

Not all of the recognizable risks in your software supply chain can be identified by their known vulnerabilities recorded as CVEs. A component that is outdated or inactive may present risks to your application that no one has had cause to investigate. Yet these components could still harbor threats.

Software supply chain is anything and everything that contributes to making software functional. This includes code in the developer system, the CICD pipeline, dependencies, binaries, and deployed software in production, as well as people, processes, and the technology space. With the growing adoption of assembling software from distributed, unmanaged components rather than building it from scratch, more often than not, organizations are not aware whose, or what, code is running within their software.