Supply Chain Security

Supply Chain Security

Supply chain - all components, libraries, tools, and processes used to develop, build and publish

Supply chain security - efforts to enhance the security within the supply chain

Supply chain attack - exploit of a vulnerability to inject malicious code in the supply chain

Your responsibilities

Make sure you are not part of the problem

Check where you get stuff from

Your risk

Unable to solve recursively

Approaches

Automated dependency updates, e.g. RenovateBot

Software Bill of Materials (SBoM) generation

Artifact signing

Attestations - signed metadata for artifacts

Provenence https://slsa.dev/provenance/v0.1 - description of artifact creation

Notable projects

Supply Chain Levels for Software Artifacts (SLSA)

sigstore

in-toto